EXCLUSIVE  STATE  OF  THE  CSO  SURVEY  RESULTS 


PAGE  24 


Security  has  never 
had  a  better  seat  at 
the  table.  But  will  you 
be  ready  when  the 

mUSiC  Stops?  PAGE  26 


www.csooniine.com  $9.00  June  2009 


A  RECENT  INDEPENDENT 
STUDY  SHOWS  THAT 
JUNIPER  CAN  REDUCE 

NETWORK  OPERATION 
COSTS  BY  UP  TO  41%. 

A  FACT  THAT'S  HARD  TO 
IGNORE,  UNLESS  YOU'RE 
TOO  BUSY  MANAGING 
YOUR  NETWORK. 


DEMAND  MORE 

RETURN  ON  INNOVATION. 


Find  out  more  by  downloading  the  complete  commissioned 
study  conducted  by  Forrester  Consulting  atjuniper.net/save 


tiJuniper 

25  NETWORKS  I 


June  2009  Vol.8,  No.  5 


Features... 

24  Risk  and  Reward 

Survey  Security’s  stock  is  moving 
opposite  the  world  economy.  Will  it 
last?  By  Derek  Slater 

26  CSO:  Future  Tense 

Leadership  From  incident  reaction 
to  proactive  risk  assessment,  the  CSO 
role  has  evolved  dramatically  in  the 
last  few  years.  Next  stop:  new  services 
and  business  operations  intelligence. 
By  Joan  Goodchild 

30  Ten  Dos  and 
Don’ts  for  Security 
Job  Interviews 

Career  The  tight  job  market  makes 
the  interview  more  high  stakes  than 
ever.  We  asked  seasoned  security 
recruiters  for  reminders  on  how  to 
stand  out  from  the  pack. 

By  Joan  Goodchild 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CISOs  may  not  have  the  big 
picture  on  risk;  Bill  the  Cat 
lives;  three  simple  steps  to 
hack  a  smartphone 

11  Briefing 

■  A  wake-up  call  for 
emergency  planners 

■  Securing  service- 
oriented  architecture 

■  Why  the  top  U.S.  cyber 
official  is  losing  sleep 

■  Swedish  man  indicted  in 
2004  Cisco  code  theft 

■  Security  wisdom  watch: 
swine  flu  edition 

■  Can  Somali  pirates 
be  stopped? 

■  New  cybersecurity 
standards  for  North 
American  power  system 


20  Web  Application 
Firewalls 

Toolbox  Application  layer 
attacks  bypass  normal  perim¬ 
eter  defenses.  Here's  how  to 
evaluate  boxes  that  screen  that 
traffic,  too.  ByMaryBrandel 

32  A  Case  of  Help  Desk 
Failure 

Undercover  How  a  lack  of 
coordination  between  depart¬ 
ments  at  a  large  bank  opened 
up  a  big  security  hole,  and 
what  we  did  about  it. 

By  Anonymous 

34  Password  Seeks 
Partner  for  Long-Term 
Secure  Relationship 
Forrester  View  Key  trends 
in  strong  authentication. 

By  Bill  Nagel 

36  Debriefing 

NISST  Guide  to  Application 
of  Security  Humor 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc..  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copyright  2008  by 
CXO  Media  Inc,  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOforusersthrough  the  Copyright  Clearance  Center,  provided  thatafee  of$3.50  per  copyofthe  article  is  paid  directly  to  Copyright  ClearanceCenter,  222  Rosewood  Drive,  Danvers,  MA  01970.  www.copyr/g/it.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— followed  by  this  symbol:  $.  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  isfree  to  qualified  security  executives. 
Toall  others  the  one-year  basic  rate  is  $70  for  the  United  Statesand  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  Thesingle  copy  price  is  $9  to  the  U.S.  and  Canada  and  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  Stephen  Webster 


June  2009  www.csoonline.com  1 


FROM  THE  EDITOR 


Service  Masters 

Congratulations.  You’re  doing  magnificent 
work.  Don’t  let  up. 

Sure,  you're  getting  a  pretty  good 
tailwind  from  the  economy.  Rotten  times 
seem  to  increase  everyone’s  appreciation 
for  security.  Poorly  managed  risk  (thinking  of 
mortgage-backed  securities  here)  increases 
everyone’s  desire  for  well-managed  risk. 

Nevertheless,  I  don’t  think  the  sour 
economy  accounts  for  all  the  positive  results  in 
our  “2009  State  of  the  CSO”  survey.  See  page 
24  for  details,  but  the  upshot  is  that  security 
is  very  well  regarded  at  this  point  in  American 
corporate  history,  which  means  you’ve  come 
a  long  way  in  less  than  a  decade.  The  CSO,  in 
many  places,  has  become  an  important  par¬ 
ticipant  in  effective  organizational  governance. 
More  than  ever,  you’re  regarded  not  just  as  the 
person  who  bars  the  doors,  but  as  a  person 
who  safeguards  the  value  of  the  company. 

Senior  Editor  Joan  Goodchild  takes  a  look 
at  this  evolution  of  the  CSO  on  page  26.  There 
is  great  value  in  taking  stock  and  recognizing 
achievements  from  time  to  time.  After  all,  who 
doesn’t  need  an  occasional  pat  on  the  back? 

But  as  always,  it’s  the  future  that  interests  me 
more  than  the  past. 

What  happens  to  the  CSO  position  in  three 
years?  In  10?  And  what  should  you  be  doing 
now  in  order  to  deliver  a  positive  future  rather 
than  simply  waiting  to  react  to  whatever 
circumstances  should  befall  you? 

To  repeat  a  point  made  in  this  space 
before,  I  think  the  future  of  the  security 
department  is  about  using  the  sensors  you 
have  in  place  (cameras,  log  files,  card  readers, 
investigations)  to  deliver  actionable  business 
intelligence  back  to  the  company.  David  Kent, 
Genzyme’s  CSO,  hints  at  this  in  Goodchild’s 
article  when  he  says,  “The  interesting  work 
will  be  in  discovering  the  new  connections  and 
building  the  resulting  services  that  we  don’t 
know  about  today.” 

Some  of  these  services  that  security  may 
offer  in  the  future  presumably  will  be  rela¬ 
tively  direct  extensions  of  today’s  expertise. 

An  example:  brand  protection.  Tim  Williams 
at  Caterpillar  sits  on  a  new  working  group 
focusing  on  the  challenge  of  brand  protection. 
This  brings  security’s  expertise  (search  and 
investigation,  for  instance)  together  with  legal 


and  marketing  and  other  departments.  It’s  a 
broader  application  of  the  concept  of  security. 

Other  services  may  utilize  the  security 
group’s  capabilities  for  nonsecurity  purposes. 
Some  security  groups  today  manage  all  cor¬ 
porate  air  travel.  Some  handle  all  logistics  for 
off-site  executive  meetings.  Those  aren’t  pure 
security  tasks,  but  the  capabilities  developed 
by  the  security  function  are  a  great  match. 

In  still  other  cases,  security  may  simply 
hand  off  data  it  has  collected.  An  oft-cited 
example  would  be  using  in-store  loss  preven¬ 
tion  cameras  to  analyze  foot  traffic  and  cus¬ 
tomer  behavior  around  merchandise  displays. 

And  in  really  extreme  cases,  this  data  will 
provide  the  basis  not  just  for  tactical  changes 
but  actual  business  process  transformation. 
Security  company  ADT,  which  calls  this  the  pin¬ 


nacle  of  their  Levels  of  Integration  framework, 
gives  as  an  example  the  redesign  of  a  retail 
supply  chain  based  on  data  collected  through 
RFID  infrastructure. 

Such  services  are,  of  course,  a  layer  on 
top  of  more  traditional  day-to-day  activities. 
Sometimes  an  access  card  is  just  an  access 
card.  But  today’s  CSOs  should  be  priming  their 
systems  for  a  future  in  which  every  security 
application  is  tuned  to  deliver  as  much  busi¬ 
ness  value  as  they  can  imagine,  and  even  more. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Kristin  Burnham 
Editorial  Administrator 
Simone  Levien 
Contributors 

Mary  Brandei,  Stephen  Lawson, 

Bill  Nagel 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

C  X  O  '  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 


w 


BRA 

WORLDWIDE" 


2  www.csoonline.com  June  2009 


Photo  by  Webb  Chappell 


SYMANTEC 

PROTECTS  MORE 


£  FORTUNE  k g  MOBILE  5 S  o  EMAILS  LAW  £ 

1500  llDEVICESi“8'l/,,"™"sZ 


H-Q  UJ 


— '  ENTERPRISES 
G-t/> 


o 

yj  |»»» 

INFORMATION  11  a!  gS3 

Q  z 


,“o >  i  a  _! 


SSlSQwag; 


IISYSTEMSs  «.u>« 

SERVERS  §  ft  i  teams 

m  AA-ii-ij*  >  P  f?  MANUFACTURERS 


OE 

U  ORGANIZATIONS  g}  £ 

PROFITS  t/i  §  ASSETS  P"  ft"  m  INDIVIDUALS 

SOCIAL  NETWORKS  3  “  Iwy]  ft  ^ 

INDUSTRIES  WEBSITES  FILES  z  3  SERVERS 

|  gCOM  PAN  I ES 

LU  5  GOVERNMENTS  __ 

1/1  S  INFORMATION  .  .m.  x 

VIRTUAL  §  <S  g  COMMUNITIES  3  s 

ENVIRONMENTS  luOu  SMALL  BUSINESSES  CQ  i 

THAN  ANYONE 


O  <  £  WINDOWS  g  NON  8 

■  UJ  ENVIRONMENTS  3  PROFITS  O  o 


SYMANTEC  IS  THE  WORLD  LEADER  IN  SECURITY. 

Know  what  it  takes  to  be  secure  today  at  go.symantec.com/securityleader 


Confidence  in  a  connected  world. 


Symantec 


©2009  Symantec  Corporation.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  registered  trademarks  of  Symantec  Corporation  or  its  affiliates  in  the  U.S. 
and  other  countries.  Other  names  may  be  trademarks  of  their  respective  owners. 


FROM  THE  PUBLISHER 


Sky  High 

The  cloud  is  becoming  an  object  of  obses¬ 
sion  with  many  CSOs  as  they  struggle 
to  manage  the  expanding  scope  of  their 
networks  and  the  proliferation  of  their 
data.  Art  Coviello  at  RSA  calls  this  the  hyper- 
extended  enterprise. 

Here’s  the  premise  and  the  challenge:  IT 
organizations,  driven  by  the  cost-constraining 
demands  of  the  business,  are  racing  to  adopt 
new  technologies  that  offer  the  promise  of 
significant  cost  savings  and  performance 
improvements.  Cloud  computing  is  a  great 
example  of  this.  The  challenge  is  that  these 
technologies  are  being  adopted  quickly  and 
often  without  the  proper  security  due  dili¬ 
gence.  The  net  result  is  that  while  a  business 
may  be  saving  a  bunch  of  money,  it  is  also 
exposing  itself  to  risks  that  have  not  been 
properly  vetted  so  mitigating  controls  can  be 
instituted,  if  needed. 

Security  in  the  cloud  can,  however,  have 
two  meanings:  security  operations  occurring 
in  a  cloud-based  IT  environment  or  security 
services  hosted  in  a  cloud  environment.  Both 
should  be  of  interest  to  the  CSO. 

I  heard  a  great  example  of  how  the  cloud 
is  sneaking  into  the  enterprise  without  the 
knowledge  of  the  security  teams.  At  a  pharma 
business,  the  security  organization  had  been 
putting  the  brakes  on  a  Web  2.0  project  that 
the  IT  team  was  keen  on.  The  CSO  was  at  a 
company  meeting  a  few  months  later  (still 
thinking  the  project  was  killed)  at  which  the 
application  development  team  was  recognized 
with  an  award  for  boot-strapping  a  project- 
the  one  that  had  been  rejected  by  security— 
and  successfully  implementing  the  solution  in 
a  cloud  model.  Instead  of  stepping  back  and 
addressing  the  very  real  concerns  raised  by 
security,  the  developers  had  gone  out  and  built 
a  cloud  solution  using  a  company  credit  card.  It 
was  an  end-run  around  security. 

On  the  flip  side,  there  are  some  great 
services  popping  up  that  use  the  cloud  to 


help  businesses  manage  security.  These  are 
not  your  father’s  MSSPs.  HP,  for  example,  has 
launched  an  application  security  service  in  a 
SaaS/cloud  model  (the  HP  Application  Security 
Center)  that  allows  a  business  to  manage  its 
application  development  and  testing  pro¬ 
cesses  across  the  enterprise.  They  have  found, 
as  have  others,  that  good  application  security 
isn’t  just  necessary  to  avoid  compliance  penal¬ 
ties  but  is  increasingly  a  requirement  just  so 
they  can  win  business  and  enter  into  partner¬ 
ships.  As  partners  and  suppliers  push  security 
demands  and  requirements  out  to  their  part¬ 
ners  and  suppliers  in  their  hyper-extended 
enterprise,  good,  solid  security  practices  are  a 
requisite  expectation  backed  up  in  contractual 
commitments  and  “trust  but  verify”  audits. 


So  while  cloud  security  has  its  challenges, 
there  are  even  more  great  models  for  security 
solutions  based  in  the  cloud  that  offer  real 
benefits  to  businesses.  As  the  CSO,  make  sure 
you  are  engaging  the  IT  teams  to  understand 
where  they  are  evaluating  cloud  solutions  and 
to  make  sure  they  understand  the  risks.  Also, 
make  sure  you  are  looking  at  what  the  cloud 
can  do  for  your  security  operations. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


CA . C4 

CDW  Corp . 10 

CXO  Media  Inc . 21 


Executive  Women’s  Forum _ 19 


Hewlett-Packard  Co . 17 

HID  Corp . 5 

ISACA . 9 

Juniper  Networks,  Inc . C2 

Lumension  Security . 7 


RSA  Security . 13,15 

Symantec  Corp . 3 

Verisign . C3 


President  and  CEO 

Michael  Friedenberg 
Publisher  Bob  Bragdon 
National  Sales  Manager 
Per  Melker 

Senior  Ad  Sales  Associate 

Christine  McKay 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

vice  President,  Online  Sales 
Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 
Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 

Editorial  Manager  Lafe  Low 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O’Brien 
Senior  Marketing  Specialist 
Lauren  Wilson 

Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponeiSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
csoStheygsgroup.com 


4  www.csoonline.com  June  2009 


Photo  by  Christopher  Navin 


hidglobai.com 


HID,  the  world  leader  in  physical  access  control 
can  now  provide  secure  access  to  your  network. 
All  on  your  current  card. 

’  have  long  been  used  as  a  means  of  log-on  security, 
an  easier,  more  reliable  way  to  control  access  to 
Windows®  is  the  same  way  you  do  with  your 
doors  -  with  HID  contactless  technology. 
You  don’t  have  to  re-badge.  It’s  ready  to  go 
from  day  one  with  the  same  credential. 
And  it’s  an  easy  transition  for  cardholders 
because  they’re  already  familiar  with  the  contactless 
technology.  Proven,  cost-effective,  simple  -  HID  is 
where  convenience  meets  security  on  the  desktop. 


Get  your  FREE  white  paper  at 
passwords.hidglobal.com 


ACCESS  logic. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonline.com. 


BLOG  POST 

The  Next  CRO: 

Is  It  You? 

Dan  Lohrmann  says  CISOs  may 
not  have  the  big  picture  on  risk 

It  was  6:15  a.m.,  and  I  was  about  half 
done  with  my  daily  workout  on  the 
treadmill  in  my  basement.  I  was 
watching  First  Business  out  of  Chi¬ 
cago.  The  topic  was  Aon’s  “2009 
Global  Risk  Management  Survey,”  and  the 
interview  really  surprised  me. 

Laura  Taylor  of  Aon  described  the  top 
10  list  and  how  things  changed  from  2007. 
She  even  made  a  few  predictions  about  2011. 
According  to  the  survey  respondents,  the 
top  10  most  pressing  risks  are: 

1.  Economic  slowdown; 

2.  Regulatory/legislative  changes; 

3.  Business  interruption; 

4.  Increasing  competition; 

5.  Commodity  price  risk; 

6.  Damage  to  reputation; 

7.  Cash  flow/liquidity  risk; 

8.  Distribution  or  supply  chain  failure; 

9.  Third-party  liability; 

10.  Failure  to  attract  or  retain  top  talent. 
I  stopped  the  treadmill.  (I  never  do 
that.)  OK,  where’s  cyber?  How  about  data 
breach,  information  security,  identity  theft, 
hackers,  viruses,  worms,  protecting  critical 
infrastructure  or  anything  remotely  related 
to  securing  computers  or  technology?  No 
mention  of  Payment  Card  Industry  (PCI) 
compliance,  protecting  health  records 
or  other  personal  information,  extortion 
attempts  against  companies  and  govern¬ 
ments  or  foreign  governments  spying  on 


companies. 

What’s  up  with  that?  Do  these  results 
surprise  you  as  much  as  they  did  me? 

I  know,  I  know— a  contrary  argument 
can  be  made  that  information  security  risk 
and/or  other  IT  risks  are  built  into  most  of 
these  items.  It  is  true  that  business  reputa¬ 
tion  includes  online  activities,  but  aren’t  we 
stretching  things  if  we  go  down  that  road? 
The  “virus  example”  given  for  business 
interruption  was  the  swine  flu  virus. 

There  are  many  implications  of  this 
survey  for  CSOs,  CISOs  and  other  IT  pro¬ 
fessionals.  The  survey  helps  security  staff 
understand  and  use  business  language  to 
describe  risk.  But  there’s  another  interest¬ 
ing  ramification  of  these  results  that  may 
impact  your  career.  The  Internet  is  full  of 
stories  about  security  governance  and  the 
proper  role  of  the  CSO.  Many  articles  sug¬ 
gest  that  CSOs  or  CISOs  will  ultimately 
become  (or  merge  with)  the  new  “hot  job” 


called  chief  risk  officer  (CRO)— reporting 
to  company  CEOs.  Similar  stories  go  back 
to  my  early  days  as  a  CISO  in  2003. 

One  of  the  first  articles  I  read  on 
CSOonline.com  was  from  the  very  talented 
VP  and  CSO  from  Motorola,  Bill  Boni.  I’ve 
learned  much  from  Bill  over  the  years,  and  I 
respect  and  admire  his  approach  to  security 
and  risk.  Bill’s  view  on  this  topic?  “As  the 
role  develops,  the  CSO  will  become  more 
of  a  chief  risk  officer,  an  executive  in  charge 
not  only  of  the  technological  risks  a  com¬ 
pany  may  face  but  also  the  business  risks 
married  to  security  concerns.” 

Bill’s  described  path  for  CSOs  to  become 
CROs  became  my  career  perspective  dur¬ 
ing  the  years  I  served  as  Michigan’s  CISO 
(from  May  2002  until  January  2009).  The 
chief  risk  officer  role  seemed  like  a  logical 
next  step  for  my  career.  But  as  the  CRO  role 
continues  to  grow  in  importance,  the  path 
to  a  CRO  may  be  different  than  many  CSOs 
think.  Most  skills  listed  have  little  to  do 
with  technology. 

A  few  disclaimers:  I  think  the  CSO  and 
CISO  roles  are  more  alive  and  healthy  today 
than  ever  before.  I  don’t  think  they  are 
going  away  anytime  soon.  My  move  to  chief 
technology  officer  had  nothing  to  do  with 
any  fears  for  the  security  profession.  In  fact, 
I  get  more  internal  and  external  contacts 
than  ever  before— people  who  ask  about 
how  they  can  become  CISOs.  Perhaps  the 
industry  is  heading  toward  a  chief  IT  risk 
officer,  as  Gartner  described  late  last  year. 
That  role  would  report  to  a  company  or 
govemmentwide  CRO,  but  I  still  like  CISOs 
reporting  to  CIOs,  if  the  CIO  reports  to  the 
governor  (or  CEO)  and  runs  IT. 

Hopefully  the  main  point  of  this  is  clear: 
Broadening  your  perspective  on  risk  can 
help.  Keep  trying  to  see  the  business  point 


6  www.csoonline.com  June  2009 


protect  your  data 


■  ■  ■ 


f  | 

Past  - 


Company  goes  public 

Upgrade  network  and 
backup  storage 

Hire  new  IT  Director 
and  Compliance  Director 

Expand  operations 

Market  conditions  hurt 
revenue  growth 


Present 


+  Budgets  tighten 
across  the  board 


Engage  Lumension  for 
security  solution 

Reduce  IT  and  security  TCO 


— §—  Data  and  network  protected 


Future 


Meet  industry  compliance  audit 


Positioned  for  economic  turnaround 


Reduce  Risk.  Not  Revenue. 


a  Lumension 

IT  Secured.  Success  Optimized. 


Download  our  white  paper  on  Reducing  Security  TCO  at 

www.lumension.com/security-tip-21 

1.888.725.7828 


Vulnerability  Management  |  Endpoint  Protection  |  Data  Protection  |  Reporting  and  Compliance 


>>  DISCUSSION 


of  view.  Don’t  back  down  on  technology 
issues,  but  be  open  to  new  angles  and  listen 
to  their  problems. 

Or  getting  more  personal,  if  you  think 
you’ll  be  the  next  chief  risk  officer,  are 
you  sure? 

-Dan  Lohrmann 


BLOG  POST 

Bill  the  Cat 
Lives  (or,  Run 
Forrest  Run) 

Once  upon  a  time,  a  CSO 
wanted  to  deploy  a  honey 
pot  to  catch  “bad  guys” 
accessing  corporate  finan¬ 
cials.  Of  course,  the  cor¬ 
porate  financial  system  is  located  behind 
firewalls  with  access  based  on  roles  and 
transactions  logged  for  activity  and  anoma¬ 
lies.  The  CSO  wanted  to  deploy  this  honey 
pot  internally  so  it  looked  like  the  corporate 
financial  system.  With  holes  in  the  perim¬ 
eter  large  enough  to  drive  a  truck  through 
and  existing  technologies  only  partially 
deployed,  it  seemed  a  bit  asinine  to  put  a 
honey  pot  anywhere  in  the  environment, 
much  less  internally,  to  catch  the  unseen 
bad  guys.  I  could  think  of  dozens  of  other 
risk- related  strategies  with  which  to  use 
the  financial  and  human  resources  needed 
to  deploy  and  maintain  the  honey  pot  that 
would  actually  improve  the  corporate  secu¬ 
rity  posture.  Besides,  there  was  no  evidence 
anywhere  of  any  issue  at  any  time  related  to 
such  goblin-like  activity.  Usually  you  have 


some  evidence  beforehand  and  would  try 
to  use  a  risk-based  approach  to  technology 
deployments  instead  of  some  White  Rabbit 
nightmare  looking  like  Columbo  that  drives 
you  to  the  internal  honey  pot  epiphany.  So 
why  would  anyone  think  that  the  finan¬ 
cials  were  being  inappropriately  accessed 
either  by  hackers  or  internal  ghosts  in 
the  network? 

I  can  only  assume  it  was  a  good  dose  of 
paranoia,  pureed  with  a  Napoleonic  com¬ 
plex,  sprinkled  with  feelings  of  inadequacy, 
stirred  with  a  dash  of  Mighty  Mouse  (“Here 
I  come  to  save  the  day...”)  and  a  sprig  of  Bill 
the  Cat  behind  the  thought  patterns  here. 
(Kinda  scary,  ain’t  it?) 

I  think  the  CSO  could  have  run  sev¬ 
eral  different  reports  that  provided  access 
activity  logs  and  entitlement  review  reports. 
Or  some  open-source  tool  to  sniff  for  odd 
activities.  In  fact,  Sox  requires  such  report¬ 
ing  that  must  be  based  at  least  upon  the 
last  12  months  demonstrating  no  out-of- 
the-ordinary  activity.  In  fact,  these  same 
reports  must  be  used  quarterly  as  part  of 
the  Sox  entitlement  review  process  and 
validated  by  both  internal  audit  and  an 
external  auditing  group.  This  was  simply  a 
person  believing  there  was  a  need  to  deploy 
new  technology  when  technology  already 
existing  and  processes  and  procedures 
corresponding  to  proven  controls  were 
already  in  place.  Believing  that  process 
and  procedure  are  distasteful  and  a  waste 
of  time,  this  CSO  seemed  to  come  up  with 
some  new  idea  garnered  in  some  Ellsworth 
Toohey  fashion  that  required  technology 
deployments  as  a  method  of  program  and 
self-worth. 

Whoever  heard  of  putting  in  an  internal 
honey  pot  when  you  have  holes  the  size  of 


HOWTO 

REACH 

US 


You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslaterfScxo.com 
508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrennerfScxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchildfScxo.com 

508  988-7994 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
E-mail:  csofSomeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
csofStheygsgroup.com. 


trucks  at  the  perimeter  that  you  can  drive 
through?  And  who  would  you  catch?  Most 
likely  some  of  his  own  minions  acting  on  his 
behalf  to  prove  the  theory.  You  may  wish  to 
get  away  quickly  (“Run,  Forest,  run!”). 

AckThtbbft!!!  -Jeff Bardin 


MORE  ON  THE  WEB 

3  Simple  Steps  to  Hack 
a  Smartphone 

Watch  security  firm  Trust  Digital  demonstrate 
how  easy  it  is  to  steal  data  and  push  nasty  stuff  to 
a  mobile  device  with  nothing  more  than  a  phone 
number,  www.csoonline.com/article/491200 


8  www.csoonline.com  June  2009 


.  „ 

% 

. 


« — 


a*Ct- 


E***0 


\ 


til 


lllffSlj 


®*  */:  ??m  % : 


g§g®ttg 


I  Si 


;  W 


WSMSAi 


'-'om* 


2£ 


N 


Sill 

t  ! 


*■ "  i?ps! 


ISACA®  Certifications 

ISACA  certifications  increase  your  value 
to  employers  and  clients. 


’■■■rays5 


1 


l  t 

-  :  ■  WL- 
i 


0  ‘  t  ’’ 

,y? 

. 

’  ;  9;  I 


V 


ii*: *1 

vi; 


mm 


I 

I 


I  9 


■  , 


1:1 


'/l;5 


AWARDS 

2009 

WINNER 

Honored  in  the  U.S. 

CISA  wins  SC  Magazine's 
Best  Professional 
Certification 

CISM  named  finalist 
for  SC  Magazine's  Best 
Certification  Program 


Being  a  CISA®  CISM® and/or  CGEIT®: 

>  Counts  in  the  hiring  process. 

>  Enhances  your  credibility  and  recognition. 

>  Boosts  your  earning  potential. 


Secure  Your  Career:  Get  Certified. 

Visit  www.isaca.org/csomag. 

-flSACA 


Serving  IT  Governance  Professionals 


Gold 

Certified 


Z  * 


□nnnn 


.<|i. l|i. 

CISCO- 

PARTNER 


There's  no  good  way  to  find  out  someone  has  stolen 
your  data.  CDW  can  help  make  sure  you  never  have  to. 


The  Right  Technology.  Right  Away. 


Offer  subject  to’  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 


""ir  . iijiMrifii'iiiirti#i’iniiwfi  nwil 

l"'"  "  ”  "  ■■  “  1  •  ^1 


f  **  '  ’  U  ,  J&.  ~ 


•  Secures  your  network  against  attacks  such  as 
worms,  viruses,  spyware,  keyloggers,  Trojan 
horses,  raotkits  and  hackers 

•  Combines  feature-rich  VPN  connectivity  with 
comprehensive  threat  defense  to  deliver 
cost-effective  remote  network  access 

•  Protects  users  accessing  the  network  from  a 
personal  or  public  PC  with  Cisco  Secure  Desktop 


•  Breaks  the  infection  chain  by  blocking  access  to 
malicious  files  and  websites 

•  Reduces  business  risks  by  preventing  infection, 
identity  theft,  data  loss,  network  downtime,  lost 
productivity  and  compliance  violations 

•  Provides  a  complete  endpoint  security  suite  to 
protect  all  types  of  endpoints 


$41499 

CDW  1065037 


Call  CDW  for  pricing 


$5516 

CDW  1722206 


CDW  Exclusive  Bundle 


Cisco®  ASA  5505  Adaptive 
Security  Appliance 


Trend  Micro™  OfficeScan™  10 
Client-Server  Suite 


Check  Point®  UTM-1  ™  270  Appliance 


We're  there  with  the  security  solutions  you  need. 

With  data  and  identity  theft  on  the  rise,  now  might  be  the  best  time  to  start  beefing  up  your  security. 
Lucky  for  you,  CDW  has  people  ready  to  help.  Our  personal  account  managers  work  along  with  highly 
trained  technology  specialists  to  find  the  perfect  data  security  solutions  for  you.  And  with  our  custom 
configuration  services,  everything  will  be  ready  to  go  when  it  arrives.  Call  CDW  today  and  we'll  introduce 
you  to  some  of  the  best  security  guards  in  the  business. 

CDW.com  800.399.4CDW 


•  Check  Point  Secure  Business  Bundles  includes  a 
full-featured  firewall  appliance  and  Check  Point 
Endpoint  Security  with  software  updates,  security 
updates  and  standard  technical  support  for  one  year 

•  Secure  Business  Bundles  provide  all  the  components 
required  for  a  complete  security  solution 


7— ,  ■ 


TREND 


1  worry  about  [questions  surrounding  cybersecurity] 
every  night;  they  infiltrate  mv  dreams."  page  14 


Edited  by  Bill  Brenner 


A  Wake-up  Call  for 
Emergency  Planners 


Johanna  Delgadillo  wears  a  mask  as  she  waits  to  disembark  an  Aeromexico 
flight  from  Mexico. 


and  can  no  longer  spread  the  infection  to  others.  (Ill  individuals  may  be 
treated  with  influenza  antiviral  medications,  as  appropriate,  if  these 
medications  are  effective  and  available.) 

■  Asking  members  of  households  with  a  person  who  is  ill  to  volun¬ 
tarily  remain  at  home  for  about  seven  days.  (Household  members  may 
be  provided  with  antiviral  medications  if  these  medications  are  effective 
and  sufficient  in  quantity  and  feasible  mechanisms  for  their  distribution 
have  been  developed.) 

■  Dismissing  students  from  schools  (including  public  and  private 
schools  as  well  as  colleges  and  universities)  and  school-based  activities 

and  closure  of  childcare  programs  for  up  to  12  weeks,  coupled  with 
protecting  children  and  teenagers  through  social  distancing  in  the 
community,  to  include  reductions  of  out-of-school  social 
contacts  and  community  mixing.  Childcare  programs 
discussed  in  this  guidance  include  centers  or  facili¬ 
ties  that  provide  care  to  any  number  of  children  in  a 
nonresidential  setting,  large  family  childcare  homes  that 
provide  care  for  seven  or  more  children  in  the  home  of  the 
provider  and  small,  family  childcare  homes  that  provide 
care  to  six  or  fewer  children  in  the  home  of  the  provider. 

■  Recommending  social  distancing  of  adults  in  the  community, 
which  may  include  cancellation  of  large  public  gatherings;  changing 
workplace  environments  and  schedules  to  decrease  social  density  and 
preserve  a  healthy  workplace  to  the  greatest  extent  possible  without 


Think  swine  flu  is  an  overblown  health  threat  with 
negligible  security  consequences?  Think  again. 


The  world  went  into  panic  mode  over  swine  flu  when  it  began 
spreading  like  wildfire  early  last  month-first  in  Mexico,  then  the 
U.S.  and  beyond.  Then  it  became  evident  that  most  cases  were 
mild-no  worse  than  garden-variety  seasonal  flu.  People  moved  on 
in  search  of  something  else  to  worry  about. 

And  so  went  another  textbook  example  of  how  we  panic  too  much 
when  a  threat  is  in  the  news  and  plan  too  little  when  the  headlines 
dissipate. 

The  reality,  at  least  in  the  case  of  swine  flu,  is  that  the  threat  was  low 
in  spring  but  could  morph  into  something  more  sinister  in  the  fall  and 
winter.  Emergency  preparedness  experts  say  there’s  no  cause  for  panic, 
but  that  this  is  a  reminder  that  organizations  should  always  be  thinking 
about  how  to  keep  the  machinery  moving  in  the  event  that  something 
big  and  unexpected  happens. 

For  emergency  planners,  there  are  both  physical  and  cybersecu¬ 
rity  challenges  to  think  about  regarding  swine  flu  and  other  potential 
pandemic  viruses. 

On  the  physical  side,  private  entities  should  be  hammering  out  a 
game  plan  for  who  would  do  what  and  where  if  the  government  decided 
to  restrict  our  movements  to  contain  an  outbreak,  says  Kevin  Nixon,  an 
emergency  planning  expert  who  has  testified  before  Congress  and 
served  on  infrastructure  security  boards  and  committees  including 
the  Disaster  Recovery  Workgroup  for  the  Office  of  Home¬ 
land  Security  and  the  Federal  Trade  Commission. 

“Companies  and  employers  that  have  not  done  so  are 
being  urged  to  establish  a  business  continuity  plan  should 
the  government  direct  state  and  local  governments 
to  immediately  enforce  their  community  containment 
plans,”  Nixon  says. 

If  the  federal  government  does  direct  states  and  communities  to 
implement  their  emergency  plans,  recommendations-based  on  the 
severity  of  the  pandemic-may  include: 

■  Asking  ill  people  to  voluntarily  remain  at  home  and  not  go  to  work 
or  out  in  the  community  for  about  seven  to  10  days  or  until  they  are  well 


Photo  by  AP/Brennan  Linsley 


June  2009  www.csoonline.com  11 


>>  BRIEFING 


disrupting  essential  services; 
ensuring  work-leave  policies  to 
align  incentives  and  facilitate 
adherence  with  the  measures 
outlined  above. 

On  the  IT  security  side, 
organizations  need  to  be  think¬ 
ing  about  how  to  stay  on  top  of 
things  like  log  monitoring  and 
patch  management  in  the  event 
of  sickness  among  the  IT  security 
staff. 

Kevin  Coleman,  a  strategic 
management  consultant  at 
Technolytics,  says  companies 
should  also  plan  for  limitations 
on  business  travel,  bring  in  extra 
cleaning  crews  and  keep  employ¬ 
ees  at  home  if  they  complain  of 
so  much  as  a  sniffle. 

“Encourage  anyone  who  feels 
the  least  bit  sick  to  stay  home,” 
Coleman  says.  “If  an  employee 
can  do  all  the  work  from  home 
on  company  laptops  and  VPNs 
that  they  do  in  the  office,  there’s 
no  reason  to  have  them  come 
in.  If  you  can  limit  exposure 
from  the  get-go,  why  wouldn’t 
you?” 

Meantime,  Coleman  says 
companies  should  ramp  up  the 
cleaning-crew  activity  that’s 
already  going  on,  mostly  after 
office  hours.  Bring  in  extra 
cleaning  crews  to  wipe  down 
heavily-touched  surfaces 
like  doors,  walls,  phones  and 
keyboards  is  money  well  spent, 
he  says. 

“Employees  can  also  do  their 
part  to  limit  the  spread  of  flu  by 
carrying  around  antibacterial 
hand  wipes,”  he  says,  noting 
that  some  of  his  clients  have 
already  pulled  back  on  the 
amount  of  employee  business 
travel. 

It’s  far  from  certain  that 
we’re  in  for  a  deadly  1918-style 
pandemic.  Either  way,  security 
experts  say  going  over  the  sce¬ 
narios  and  building  a  game  plan 
is  time  well  spent. 

-Bill  Brenner 


Q&A 

SOA  Security:  How  a  Lir  Irish 
Luck  Went  a  Long  Way 


David  Yeates,  it  head  for 
EBS  Building  Society,  gives  an 
overview  of  the  Irish  financial 
firm’s  approach  to  securing  its 
service-oriented  architecture 

From  a  security  perspective,  service- 

oriented  architecture  (SOA)  is  a  tricky  thing. 
It’s  not  hard  for  bad  guys  to  compromise 
it  with  SQL  injection,  capture-replay  and 
XML  denial-of-service  attacks,  which  they  can 
ultimately  use  to  bust  through  walls  around  a 
company  database. 

The  EBS  Building  Society,  one  of  Ireland’s 
largest  financial  services  companies,  wanted 
SOA  for  its  ability  to  quickly  model  (and  change) 
business  processes.  And  it’s  IT  head  David 
Yeates’  responsibility  to  secure  the  resulting 
architecture.  Below,  he  explains  the  process  his 
company  took  to  achieve 
secure  SOA. 

(Listen  to  audio  of  the 
Yeates  interview  “How 
to  Secure  Your  SOA,”  at 
www.csoonline.com/ 
podcast/491924.) 

CSO:  Why  did  SOA 
make  sense  despite  the 
security  concerns? 

Yeates:  SOA  has 
the  potential  to  bean 
extremely  important  strate¬ 
gic  business  tool.  The  future  IT  emphasis  will  be 
on  process-driven  development  and  component- 
based  solutions  like  Siebel  component  assembly, 
Oracle  fusion,  IBM’s  component  business  models 
and  so  on.  Future  complex  financial  IT  applica¬ 
tions,  meanwhile,  may  span  multiple  organiza¬ 
tions  in  real  time  with  organizations  acting 
as  both  suppliers  and  consumers  in  such  an 
environment  and  exposing  applications  to  B2B 
customers  as  Web  services. 

This  has  major  implications  for  an  IT  orga¬ 
nization  that  must  now  seriously  consider  the 
following  areas:  governance  and  service  man¬ 
agement  and  an  integrated  security  infrastruc¬ 
ture  to  address  Web  services  and  XML  security. 

With  those  security  issues  in  mind, 
describe  the  implementation  process  that 
EBS  followed. 


In  implementing  an  application  infrastruc¬ 
ture  based  on  SOA  principles,  we  had  four 
distinct  phases: 

1.  Simple  Internal  Integration  (tactical- 
technology  driven):  This  focused  on  application 
and  platform-level,  peer-to-peer  communica¬ 
tion;  elements  of  coarse  and  fine-grained 
services. 

2.  Rich  Internal  Integration  (technology 
driven):  Addressed  the  complexity  and  cost 
of  distributed  applications,  the  application 
spaghetti  environment,  rudimentary  service 
business  technologies,  elements  of  routing  and 
transformation  and  multichannel  applications. 

3.  External  Partner  Integration  (business 
driven):  Extending  an  SOA-based  application 
infrastructure  to  consume  and/or  provide  B2B 
services. 

4.  Core  Business  Functionality  (strategic- 
business  driven):  Process- 
driven  development-Web 
services  integration  and 
orchestration;  business 
process  modelling  and 
monitoring. 

Dive  deeper  into  how 
you  reached  the  conclu¬ 
sion  that  the  security 
architecture  was  needed. 

Service-oriented  appli¬ 
cations  are  fundamentally 
different  from  traditional 
monolithic  applications.  Web  services  are 
dynamic,  they  look  up,  discover  and  bind  to  each 
other  at  run  time.  This  means  that  the  internal 
network  also  has  to  be  considered  a  dirty  envi¬ 
ronment.  A  process-driven  development  creates 
dynamic  applications  where  business  processes 
can  be  easily  created  and  changed. 

This  presents  major  change  management, 
service  management  and  compliance  challenges 
for  an  organization.  Transactional  security 
becomes  very  complex,  very  fast. 

What  did  you  ultimately  decide  to  do 
about  it? 

We  found  that  the  ideal  solution  was  to 
abstract  the  security,  auditing  and  control  func¬ 
tionality  away  from  individual  applications  and 
into  the  network  fabric  itself. 

-B.fi. 


12  www.csoonline.com  June  2009 


Verbatim... 


“The 

rule  of  thumb  is  that  when 
you  outsource  the  requirements 
developed  internally,  the  vendor  has 
to  be  at  least  as  secure  as  you  are.” 

-Forrester  analyst  Chenxi  Wang  warning 
customers  to  be  careful  when  looking 
into  cloud-based  services 


“One  of  the  biggest  takeaways 
from  this  report  is  that  not  all  vulnerabilities 
are  created  equal,  but  many  are  very  serious, 
leaving  the  door  open  to  exploit  sensitive 
information  and  cause  some  serious  damage.” 
-Jeremiah  Grossman,  founder  and  chief  technology  officer  at 
WhiteHat  Security,  regarding  his  company’s  latest  “Website 
Security  Statistics  Report.”  The  report,  which  contains  data 
collected  from  WhiteHat  enterprise  clients  between 
January  1, 2006,  and  March  31, 2009,  finds  82  percent 
of  websites  have  had  a  high,  critical  or  urgent 
issue  over  their  lifetime. 


“Certainly 
this  isn’t  new, 
butwethinkthat 
what  you’re  seeing 
is  an  attempt  to 
shake  out  every  last 
dollar  they  can  get.” 
-Kevin  Haley,  a  director 
on  Symantec’s  security 
response  team,  regarding 
a  wave  of  phishing 
attacks  against 
Facebook  users 


The  Security  Division  of  EMC 

2009  RSA  Security ’Inc 


www.rsa.com 


>>  BRIEFING 


CYBERSECURITY 

Why  the  Top 
U.S.  Cyber 
Official  Is 
Losing  Sleep 


The  United  States’  top  cybersecurity 
official  already  knew  the  world’s  digital 
infrastructure  needed  help  before  she 
took  on  a  60-day  cyberspace  policy 
review.  With  the  review  now  complete,  she 
admits  the  gravity  of  the  situation  seeps  into 
her  dreams  and  disturbs  her  sleep. 

“I  worry  about  [questions  surrounding 
cybersecurity]  every  night;  they  infiltrate  my 
dreams,”  Melissa  Hathaway,  acting  senior 
director  for  cyberspace  for  the  National 
Security  and  Homeland  Security  Councils,  said 
in  a  speech  at  the  RSA  Conference  in  April.  “I 
often  wake  up  at  2:30  or  4:30  in  the  morning 
having  worked  the  problem  in  my  sleep,  and 
sometimes  even  develop  a  good  idea.” 

President  Obama  tapped  Hathaway,  a  Bush 
administration  official  who  helped  develop  a 
multibillion  dollar  classified  initiative  to  better 
secure  federal  systems  and  critical-infrastruc¬ 
ture  networks  against  online  threats,  to  lead  a 
60-day  review  of  the  government’s  cybersecu¬ 


rity  efforts  in  February. 

She  acknowledged  what  everyone  attend¬ 
ing  RSA  already  knew:  The  nation’s  digital  infra¬ 
structure— the  world’s,  for  that  matter-is  full  of 
security  holes  that  leave  us  vulnerable  to  those 
who  would  steal  personal  data  for  financial 
gain  or  to  compromise  national  security. 

“Despite  all  of  our  efforts,  our  global  digital 
infrastructure,  based  largely  upon  the  Internet, 
is  neither  secure  enough  nor  resilient  enough 
for  what  we  use  it  for  today  and  will  need  into 
the  future,”  she  said.  “This  poses  one  of  the 
most  serious  economic  and  national  security 
challenges  of  the  2lst  century.” 

She  offered  several  examples:  The  design 
of  today’s  digital  infrastructure  was  driven 
more  by  considerations  of  interoperability  and 
efficiency  than  of  security,  she  said. 

As  a  result,  a  growing  array  of  state 
and  nonstate  actors  can  compromise,  steal, 
change  or  destroy  information.  She  cited 
‘countless  intrusions  that  have  allowed  crimi¬ 


nals  to  steal  hundreds  of  millions  of 
dollars  and  allowed  nation  states  and 
others  to  steal  intellectual  property 
and  sensitive  military  information.” 
Digital  miscreants  even  have  the  ability 
to  threaten  or  damage  portions  of  the 
nation’s  critical  infrastructure,  she  said, 
a  recent  example  being  a  November 
2008  incident  where  130  automated 
teller  machines  in  49  cities  around 
the  world  were  illicitly  emptied  in  the 
space  of  a  half  hour. 

These  and  other  risks  have  the  potential  to 
undermine  consumer  confidence  in  the  infor¬ 
mation  systems  that  underlie  our  economic 
and  national  security  interests,  she  said. 

The  government’s  role  in  cybersecurity- 
specifically  the  amount  of  control  it  should 
have  over  how  the  private  sector  manages 
it-has  been  one  of  the  top-of-mind  issues  for 
security  pros  of  late  because  of  legislation 
filed  in  the  U.S.  Senate  that  would,  among 
other  things,  give  the  government  more  power 
to  enforce  security  in  the  private  sector. 

Rich  Mogull,  a  former  Gartner  analyst  and 
founder  of  security  consultancy  Securosis, 
says  a  deeper  government  reach  into  the 
private  sector  may  make  sense  under  certain 
circumstances,  but  not  in  the  broader  sense. 

“I  think  it’s  reasonable  for  critical  infra¬ 
structure  and  government  contractors,  but  if  it 
extends  into  general  business,  it’s  doomed  to 
failure,”  he  says.  -B.B. 


CISCO  SECURITY 

Swedish  Man  Indicted  in  2004  Cisco  Code  Theft 


A  SWEDISH  man  was  indicted 
last  month  in  connection  with 
the  alleged  2004  theft  of  source 
code  for  Cisco  Systems’  IOS 
(Internetwork  Operating  Sys¬ 
tem)  software. 

Philip  Gabriel  Pettersson, 
21,  was  indicted  on  one  count 
of  intrusion  and  two  counts 
of  misappropriation  of  trade 
secrets. 

He  was  also  indicted  on  two 
counts  of  intrusion  involving 
NASA.  The  U.S.  Department  of 
Justice’s  Criminal  Division  and 
Joseph  Russoniello,  attorney 
for  the  Northern  District  of 
California,  announced  the 
indictment  after  an  investiga¬ 


tion  by  the  Federal  Bureau 
of  Investigation  and  other 
agencies. 

IOS  runs  Cisco’s  routers, 
which  handle  most  of  the  rout¬ 
ing  of  packets  on  the  Internet. 
Versions  of  the  code  are  also  at 
the  heart  of  Cisco  LAN  switches 
and  other  products. 

In  May  2004,  parts  of  the 
IOS  source  code  were  briefly 
posted  to  a  Russian  website. 
Some  observers  said  then  that 
the  theft  might  threaten  the 
Internet  by  giving  malicious 
hackers  a  glimpse  into  Cisco’s 
proprietary  software. 

The  Justice  Department 
identified  Pettersson  as  “Stak- 


kato,”  the  name  used  by  a 
hacker  linked  to  numerous 
attacks  around  the  same  time. 

It  said  Pettersson  intentionally 
intruded  into  Cisco’s  network 
between  May  12  and  May  13, 
2004,  and  misappropriated 
IOS  code.  Cisco  has  said  it 
believes  no  customer  informa¬ 
tion,  partner  information  or 
financial  systems  was  affected. 
Company  officials  were  not 
immediately  available  for  com¬ 
ment.  Pettersson  is  also  accused 
of  intrusions  in  2004  at  NASA 
facilities,  including  the  Ames 
Research  Center  and  the  NASA 
Advanced  Supercomputing 
Division,  which  are  located  in 


Silicon  Valley. 

Those  crimes  allegedly  took 
place  on  May  19,  May  20  and 
Oct.  22  of  that  year.  Each  count 
of  intrusion  and  theft  of  trade 
secrets  carries  a  maximum  pen¬ 
alty  of  10  years  in  prison,  three 
years  of  supervised  release  and 
a  $250,000  fine. 

Cisco  and  NASA  cooperated 
with  the  investigation,  and  the 
Justice  Department  said  it  will 
work  with  Swedish  authorities 
on  the  case. 

In  September  2004,  Brit¬ 
ish  authorities  said  they  had 
arrested  a  20-year-old  man  in 
connection  with  the  code  theft. 

-Stephen  Lawson 


14  www.csoonline.com  June  2009 


Photo  by  AP 


25+  years  in  the  business 


34,000+  customers  in 
over  50  countries. 


Ranked  #1  out  of  100  vendors 
(CIO  Insight,  12/08). 


Find  security  in  RSA. 


■ , ;  mm 

of  EMC 


WWW.rsa.com  The  Security  Division  of  EMC 

■  i  v'ifcf ; 

Security  Information  and  Event  Management  I  Data  Loss  Prevention  I  Identity  &  Access  •Madag^nidnt^».fy|^:. 

5)2009  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and  other  countries.  ••• 


>>  BRIEFING 


PHYSICAL  SECURITY 


Security 
Wisdom  Watch 


The  world  was  on  a  panic 
footing  again  when  swine 
flu  spread  from  Mexico  to 
the  U.S.  and  elsewhere  last 
month.  Some  organizations 
and  individuals  offered  useful 
guidance.  Others  spread  fear 
for  a  few  days,  then  went  away. 


THUMBS  DOWN:  Cable  news  net¬ 
works.  The  big  players-CNN,  Fox 
News  and  MSNBC-reported  the 
swine  flu  like  the  opening  scene 
from  Stephen  King’s  The  Stand  or 28 
Days  Later.  Anchors:  Stop  yelling  at  us 
and  just  report  the  facts. 


THUMBS  UP:  The  Obama  Admin¬ 
istration.  The  White  House  was 
quick  to  react,  and  did  so  with 
the  calmness  called  for. 


THUMBS  UP:  SANS  Institute.  The 
organization  has  kept  pretty 
good  track  of  swine  flu  develop¬ 
ments  with  this  detailed,  matter- 
of-fact  site:  www.sans 


,edu/resources/leadershiplab/pandemic_ 

watch2009.php. 


THUMBS  BOTH  WAYS:  Humor¬ 
ists.  The  panic  surrounding 
the  outbreak  was  blunted 
somewhat  by  a  bounty 
of  cartoons,  late-night 
TV  jokes  and  commentary 
throughout  Twitter  and  Face- 
book.  But  if  a  second,  more  deadly  wave 
of  illness  spreads  in  a  few  months,  the 
jokes  won’t  seem  quite  as  funny. 


THUMBS  DOWN:  Return  to  apathy. 
It’s  always  a  relief  when  a  crisis 
cools  off.  The  problem  is  that 
everyone  drops  the  much- 
needed  emergency  planning  to 
go  watch  Grey’s  Anatomy. 

-B.B. 


Can  Pirates  Be  Stopped? 

Naval  expert  Rick  Gurnon  says  the  fight  against 
Somali  pirates  won’t  be  won  any  time  soon,  if  ever 


An  American  president  was  only  in  office  a  few  months  when  an  American 
vessel  was  attacked  by  pirates.  The  pirates  demand  a  high  ransom  for  the 
safe  release  of  the  vessel  and  all  onboard.  It  has  become  a  common  scene 
as  pirates  have  been  a  problem  in  this  part  of  the  world  for  some  time. 

Yet,  prior  to  this  new  president,  all  previous  American  presidents  and  other 
leaders  of  the  world  have  chosen  to  ignore  the  problem.  Conventional  wisdom 
has  thus  far  been  to  pay  the  ransoms  rather  than  send  war  ships  to  the  troubled 
waters  to  drive  the  pirates  out  by  force.  The  new  president  knows  how  he  han¬ 
dles  this  new  attack  on  an  American  vessel  could  make  or  break  his  presidency. 

While  this  may  sound  like  the  circumstances  surrounding  the  capture  of 
Captain  Richard  Phillips  and  the  crew  of  the  Alabama  Maersk  off  of  the  coast 
of  Somalia,  this  story  has  nothing  to  do  with  that  attack,  or  President  Barack 
Obama.  Instead,  the  story  is  of  Thomas  Jefferson,  the  third  president  of  the  U.S., 
and  the  events  that  lead  to  the  wars  off  of  the  Barbary  Coast. 

Rear  Adm.  Rick  Gurnon  of  the  Massachusetts  Maritime  Academy  in  Bourne 
says  the  Barbary  Wars  are  important  in  the  history  of  the  formation  of  the 
U.S.  Navy  as  we  know  it  today.  At  the  time,  Jefferson  managed  to  convince  the 
U.S.  Congress  to  raise  taxes  in  order  to  fund  war  ships  sent  to  battle  the  pirates. 
One  of  the  vessels,  the  USS  Constitution,  is  still  in  active  service  today.  But  the 
outcome  in  the  modern-day  battle  against  pirates  is  still  unclear.  “A  report  to  the 
U.N.  security  council  concluded  that  these  pirate  groups  now  rival  established 
Somali  authorities  in  terms  of  their  military  capabilities  and  resource  basis,” 
Gurnon  says.  “This  is  certainly  no  smash-and-grab  operation.”  Gurnon  notes  that 


Members  of  the  USS  Gettysburg 
and  U.S.  Coast  Guard  Law 
Enforcement  prepare  to  board  a 
suspected  pirate  mother  ship. 


a  ransom  as  high  as  $3.2  million  was  collected  recently  for  the  release  of  a  Ukra- 
nian  vessel.  “Just  as  paying  ransom  to  the  Bays  of  Tripoli  failed  to  stop  piracy  at 
the  turn  of  the  19th  century,  paying  insurance  money  to  the  Somali  pirates  at  the 
beginning  of  the  21st  century  is  doomed  to  fail,”  Gurnon  says. 

Other  tactics  some  vessels  have  employed  include  barbed  wire  at  low  areas 
of  the  ship  to  prevent  boarding  and  charged  fire  hoses  to  drive  oncoming  pirates 
away.  Ultimately,  the  real  solution  is  on  land,  not  at  sea,  Gurnon  says.  Somalia 
needs  a  viable  government  to  control  its  seas  and  shores.  But  with  Iraq  and 
Afghanistan  still  hot,  there  aren’t  too  many  countries,  including  America,  inter¬ 
ested  in  getting  involved  in  a  protracted  land  war  in  Somalia,  he  says. 

-Joan  Goodchild 


16  www.csoonline.com  June  2009 


U.S.  Navy  photo  by  Mass  Communication  Specialist  First  Class  Eric  L.  Beauregard 


Four  Steps  for  Starting  an  Application 
Security  Program  on  a  Budget 

With  major  security  breaches  in  the  news,  CSOs  are  no  longer  asking  why  they  need  an  application 
security  program.  They  know  they  need  to  find,  fix,  and  prevent  security  vulnerabilities  in  their  web 
applications  to  prevent  hackers  from  accessing  sensitive  information  and  to  comply  with  regulations, 
including  guidelines  from  the  Payment  Card  Industry  (PCI).  Instead,  CSOs  are  asking  how  to  implement 
an  application  security  program,  how  to  get  it  up  and  running  quickly,  and  in  these  days  of  flat  or 
shrinking  budgets,  how  to  do  so  as  cost-effectively  as  possible. 


The  following  steps  will  help  protect  assets  and  accelerate  the  adoption  of  a  new  application  security 
program  while  keeping  costs  down: 


1.  Start  small.  It  is  best  not  to  be  overwhelmed  by  the  enormity  of  securing  all  applications  across  the 
enterprise.  Organizations  can  start  their  efforts  with  one  critical  application  or  one  potentially 
severe  security  vulnerability  (e.g.,  SQL  injection)  and  grow  their  efforts  from  there.  HP  Weblnspect 
software  provides  fast,  accurate  security  testing  and  remediation  capabilities  for  web  applications, 
including  those  built  on  emerging  Web  2.0  technologies. 


2.  Focus  on  riskiest  applications.  With  a  limited  budget,  it  makes  sense  to  focus  resources  on  areas 
that  pose  the  most  risk  to  the  business.  In  application  security,  this  means  identifying  assets  that 
must  be  protected  or  have  the  most  critical  security  vulnerabilities.  It  also  helps  to  classify  data  into 
risk  categories  (i.e.,  internal  use  only,  classified,  etc.).  HP  Assessment  Management  Platform,  part  of 
HP  Application  Security  Center  software,  provides  business  analytics  features  that  let  users  prioritize 
security  issues  based  on  the  needs  of  the  business  so  that  limited  resources  can  be  deployed  where 
they  are  needed  most. 


3.  Leverage  Software-as-a-Service  (SaaS).  SaaS  helps  organizations  get  their  application  security 
program  up  to  speed  quickly  using  software  that  is  hosted  and  operated  by  the  vendor  over  the 
Internet.  SaaS  can  help  when  budgets  are  tight  because  customers  do  not  have  to  make  long-term 
investments  in  technology  infrastructure  or  staff  training.  In  addition,  SaaS  draws  on  operating 
expenses  rather  than  capital  expenditures.  As  part  of  its  SaaS  offering,  HP  provides  a  unique 
model  of  ongoing  mentoring  to  help  drive  adoption  and  maturity  of  the  customer's  application 
security  program  with  the  flexibility  to  move  the  software  on  premise  if  requirements  change. 


4.  Work  with  external  application  security  experts.  To  quickly  build  a  cost-effective,  compliance- 
driven  web  application  security  program  across  the  enterprise,  it's  best  to  work  with  experienced 
professionals  who  understand  not  just  the  technology,  but  the  organizational  requirements  and 
processes  to  make  the  program  successful.  HP  provides  a  full  line  of  educational,  consulting  and 
packaged  services  to  help  customers  implement  a  focused  security  testing  effort  or  quickly  adopt  a 
more  comprehensive  program.  In  addition,  Testing  and  Quality  Assurance  Services  from  EDS 
provide  code  scanning  and  application  security  testing  from  a  global  network  of  testing  centers. 

HP  is  committed  to  providing  comprehensive  research,  best  practices,  education,  technology,  and 
software  offerings  to  enable  organizations  to  ensure  that  their  applications  meet  business  expectations 
for  security.  To  learn  more  about  HP's  Application  Security  SaaS,  software  and  professional  services  : 
designed  to  help  you  jump  start  your  security  program,  send  an  email  to  qmsecuritysales@hp.com  or 
visit www.hp.com/go/securitysoftware. 


©  2009  Hewlett  Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice.  The  only  warranties  for  HP  products  and  services  are  set  forth  in  thd  express  wananty 
statements  accompanying  such  products  and  services.  Nothing  herein  should  be  construed  as  constituting  an  additional  warranty.  HP  shall  not  be  liable  for  technical  or  editorial  errors  Or  omissibns  contained' herein. 


Special  Advertising  Section 


>>  BRIEFING 


CRITICAL  INFRASTRUCTURE 


New  Cybersecurity 
Standards  for  N.  American 
Power  System 

The  North  American  Electric  Reliability  Corporation’s  board 
of  trustees  has  approved  changes  that  make  cybersecurity 
compliance  for  the  electric  industry  more  stringent 


Revised  cybersecurity  standards  for  the 
North  American  bulk  power  system 
were  approved  by  the  North  Ameri¬ 
can  Electric  Reliability  Corporation’s 
(NERC)  independent  board  of  trustees  earlier 
last  month. 

The  revised  standards  were  passed  by 
the  electric  industry  with  an  88  percent 
approval,  according  to  NERC  officials,  which 
noted  that  the  majority  approval  indicated 
strong  support  in  the  industry  for  the  more 
stringent  standards. 

“The  approval  of  these  revisions  is 
evidence  that  NERC’s  industry-driven 
standards  development  process  is  produc¬ 
ing  results,  with  the  aim  of  developing  a 
strong  foundation  for  the  cybersecurity  of 
the  electric  grid,”  said  Michael  Assante,  vice 
president  and  chief  security  officer  at  NERC, 
in  a  statement. 

The  standards,  according  to  the  state¬ 
ment,  are  comprised  of  approximately  40 
“good  housekeeping”  requirements  designed 
to  lay  a  solid  foundation  of  sound  security 
practices. 


The  revisions  that  were 
approved  address  concerns 
raised  by  the  Federal  Energy 
Regulatory  Commission 
when  it  conditionally 
approved  the  standards  in 
effect.  The  revisions  not¬ 
ably  include  the  removal  of 
the  term  “reasonable 
business  judgment,”  said  NERC  officials. 

The  standards  “if  properly  implemented, 
will  develop  the  capabilities  needed  to 
secure  critical  infrastructure  from  cyberse¬ 
curity  threats,”  the  statement  noted. 

Entities  that  fail  to  comply  can  be  fined 
up  to  $1  million  per  day,  per  violation  in  the 
U.S.,  with  other  enforcement  provisions 
in  place  throughout  much  of  Canada,  said 
NERC.  Audits  for  compliance  will  begin  on 
July  1,2009. 

The  changes  come  on  the  heels  of  a 
Wall  Street  Journal  report  that  cited  nat¬ 
ional  security  officials  who  claimed  cyber¬ 
spies  from  China,  Russia  and  other  countries 
had  successfully  penetrated  the  U.S.  electri¬ 


cal  grid  and  left  behind  software  pro¬ 
grams  that  could  be  used  to  disrupt  the 
system. 

However,  Assante  stressed  in  his  state¬ 
ment  that  the  changes  were  part  of  a  process 
that  was  launched  last  July  and  was  already 
well  underway. 

“It's  important  to  note,  however,  that 
these  standards  are  not  designed  to  address 
specific,  imminent  cybersecurity  threats,” 
he  said. 

“We  firmly  believe  that  carefully  crafted 
emergency  authority  is  needed  at  the  gov¬ 
ernment  level  to  address  this  gap.” 

A  second  phase  of  revisions  will  be  pre¬ 
sented  to  the  board  in  2010.  -J.G. 


BY  THE  NUMBERS 


82% 

63% 

85% 

One 

14 

One 

Websites  that  have 
had  high,  critical 
or  urgent  security 
issues  over  their 
lifetime,  based 
on  a  study  of 
WhiteHat  Security 
customers 

Websites  currently 
suffering  from 
a  high,  critical 
or  urgent  issue, 
making  them 
unsecured  today, 
according  to  the 
WhiteHat  study 

Percentage  of 
site  blocked  by 
MessageLabs  for 
hosting  malicious 
content.  Many  of 
them  were  legiti¬ 
mate  sites  that 
had  been  secretly 
hijacked  by  hidden 
malware 

Number  of  security 
updates  that 
Microsoft  released 
for  its  May  2009 
Patch  Tuesday 
rollout 

Number  of  flaws 
the  Microsoft 
update  addressed 

Number  of 

Microsoft  products 
affected  by  the  14 
security  flaws.  This 
time,  the  affected 
program  was 
PowerPoint. 

18  www.csoonline.com  June  2009 


7th  Annual  Alta  Associates 

^EXECUTIVE  WOMEN’S 

*|  r\r}\  I IV  A  Information  Security,  Risk 

rUnUIVI  Management  &  Privacy 


September  23-25,  2009  |  Hyatt  Regency  at  Gainey  Ranch  |  Scottsdale,  AZ 


Pragmatic  Risk  Solutions  for  Changing  Times: 

Achieving  More  with  Less 


The  7th  annual  Executive  Women's  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  to  exchange  pragmatic  risk  solutions.  Hosted  by  Alta  Associates ,  Inc. 


ROI: 

•  Earn  1 7  CPE  Credits 

•  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

•  Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 


•  Expand  Your  Expertise  &  Capabilities 


Panels  Include: 


•  Winning  Mind  Share — Writing  Effective  Proposals 

-  Tie  IT  investments  to  business  drivers,  calculate  ROI  based  on  your  project  and  lower  the  overall 
risk  to  your  company. 

•  Compliance  Globalization  Framework  Workshop 

-  Develop  requirements  and  controls  to  multiple  obligations,  create  a  unified  approach,  and  consider 
the  benefits  and  costs. 

•  Emerging  Technologies  Workshop: 

Cloud  Storage  &  Computing,  Web  2.0  and  Mobility 

-  Work  in  groups  to  discuss  and  then  present  the  current  state,  architecture,  risks,  rewards  &  tools 
used  to  evaluate  them. 

•  Gaining  Efficiencies  through  Vendor  Risk  Management 

-  Discuss  third  party  relationship  life  cycles  and  take  away  a  risk  assessment  framework 

•  The  Future  Privacy  Landscape 

-  In  our  desire  to  collaborate,  how  do  we  maintain  basic  privacy? 


Women  of  Influence 
Awards 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  Magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 

Winners  will  be  announced  at  an 
awards  ceremony  during  the 
Executive  Women's  Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

Nominations  MUST  be 
submitted  by  August  1 ,  2009 


MEDIA  SPONSOR  & 
AWARDS 

co-presenter: 

CSO 


FORUM  HOST  & 
AWARDS 

co-presenter: 


^  DIAMOND  SPONSORS 


Symantec. 


ini 

Information  Networking  Institute 

Carnegie  Mellon 


Microsoft 


By  Mary  Braudel 


Web  Application  Firewalls 

Application  layer  attacks  bypass  normal  perimeter  defenses. 
Here’s  how  to  evaluate  boxes  that  screen  that  traffic,  too. 


A  Web  application  firewall 
(WAF)  is  designed  to  pro¬ 
tect  Web  applications 
against  common  attacks 
such  as  cross-site  scripting 
and  SQL  injection.  Whereas  network  fire¬ 
walls  defend  the  perimeter  of  the  network, 
WAFs  sit  between  the  Web  client  and  Web 
server,  analyzing  application-layer  traffic 
for  violations  in  the  programmed  security 
policy,  says  Michael  Cobb,  founder  of  Cob¬ 
web  Applications,  a  security  consultancy. 

While  some  traditional  firewalls  pro¬ 
vide  a  degree  of  application  awareness, 
it’s  not  with  the  granularity  and  specific¬ 
ity  that  WAFs  provide,  says  Diana  Kelley, 
founder  of  consultancy  Security  Curve. 
For  instance,  the  WAF  can  detect  whether 
an  application  is  not  behaving  the  way  it 
was  designed  to,  and  it  enables  you  to  write 
specific  rules  to  prevent  that  kind  of  attack 
from  reoccurring. 

WAFs  also  differ  from  intrusion  pre¬ 
vention  systems.  “It’s  a  very  different 
technology— it’s  not  signature-based,  it’s 
behavioral,  and  it  protects  against  vulnera¬ 
bilities  you  [inadvertently]  create  yourself,” 
says  Greg  Young,  an  analyst  at  Gartner. 

One  of  the  primary  drivers  for  WAFs 
today  is  the  Payment  Card  Industry  Data 
Security  Standard  (PCI  DSS),  which  identi¬ 
fies  two  ways  of  being  in  compliance:  WAFs 
and  code  review.  But  another  driver  is  sim¬ 
ply  the  growing  recognition  that  attacks  are 

20  www.csoonline.com  June  2009 


moving  from  the  network  to  applications. 
In  a  study  by  WhiteHat  Security,  which 
assessed  877  websites  from  January  2006 
to  December  2008,  82  percent  had  at  least 
one  issue  of  high,  critical  or  urgent  severity. 

Main  WAF  Attributes 

The  WAF  market  is  still  undefined,  with 
many  dissimilar  products  falling  under  the 
WAF  umbrella.  “Many  products  provide 
functionality  above  and  beyond  what  one 
would  consider  a  firewall,”  says  Ramon 
Krikken,  research  analyst  at  Burton  Group. 
“This  makes  products  hard  to  evaluate  and 
compare.”  In  addition,  new  vendors  are 


entering  the  market,  by 
expanding  existing  non- 
WAF  products  into  the 
integrated  segment. 

Here  are  the  attri¬ 
butes  that  a  WAF  should 
have,  according  to  a  list 
provided  by  Ofer  Shezaf, 
founder  of  research  and 
consulting  firm  Xiom: 
■Have  intimate 
understanding  of 
HTTP.  WAFs  need  to 
fully  parse  and  analyze 
HTTP  to  be  effective. 
■Provide  a  positive 
security  model.  A 
positive  security  policy 
allows  only  traffic 
known  to  be  valid  to  pass  through. 
Sometimes  called  “white  listing,”  this 
provides  an  external  input  validation 
shield  over  the  application. 

■  Application-layer  rules.  Because  of 
the  high  maintenance  cost,  a  positive 
security  model  should  be  augmented 
by  a  signature-based  system.  But  since 
Web  applications  are  custom-coded, 
traditional  signatures  targeting  known 
vulnerabilities  are  not  effective.  WAF 
rules  should  be  generic  and  detect 
any  variant  of  an  attack,  such  as  SQL 
injection. 

■  Session-based  protection:  One  of  the 

Illustration  by  James  Frazier/Veer 


BUSINESS  RISK  LEADERSHIP 


REGISTER  BY  JULY  15TH  AND  SAVE! 

Full  conference  and  one  night’s  accommodation  for  only  $695 
Register  now  at  www.digitialidworld.com  and  reference  priority  code  AD 
(ISC)2  Credits:  Members  can  earn  up  to  24  CPE  credits  by  attending  this  event. 

produced  by 


•VlO 


September  14-16, 2009 
Rio  Hotel  and  Casino 
Las  Vegas,  Nevada 
www.digitalidworld.com 


Digital  ID  World  is  the  premier  event  for  the 
identity  and  access  management  industry.  This 
is  the  one  place  where  you  will  find  focused 
content,  focused  solutions  and  focused  net¬ 
working  opportunities  to  support  your  IDM 
initiatives.  You’ll  hear  from  industry  experts 
and  your  peers  on  the  latest  tools,  technolo¬ 
gies  and  tactics.  Top-notch  keynote  addresses 
from  leading  identity  management  and  privacy 


experts  like  Jeff  Jonas  and  Dr.  Larry  Ponemon 
set  the  stage  for  three  days  of  Summit  work¬ 
shop  sessions,  hands-on  labs  and  focused 
breakout  sessions  on  burning  technological  and 
business  issues.  You’ll  learn  what  has  worked 
well,  what  to  avoid  and  how  to  prioritize  your 
identity  management  projects  within  the  scope 
of  your  company’s  goals.  If  it’s  about  identity, 
you’ll  hear  about  it  at  Digital  ID  World. 


*  - 


l'  K'A  *» 
■V  . 


•  V  . 
$ 


z-zsmL* 


8  T  H  ANNUAL 

DIGITALIDWORLD 


“Driving  Innovation  with  Identity ” 


>>  TOOLBOX 


biggest  downsides  of  HTTP  is  the  lack 
of  a  built-in  reliable  session  mecha¬ 
nism.  A  WAF  must  complement  the 
application  session  management  and 
protect  it  from  session-based  and  over¬ 
time  attacks. 

■  Allow  fine-grained  policy  management. 
Exceptions  should  be  applied  to  only 
minimal  parts  of  the  application.  Oth¬ 
erwise,  false  positives  force  wide-open 
security  gaps. 

Selection  Criteria 

The  Open  Web  Application  Security 
Project— an  open  community  focused  on 
improving  the  security  of  application  soft¬ 
ware— suggests  the  following  selection  of 
criteria  for  WAFs: 

■  Very  few  false  positives  (i.e.,  should 
never  disallow  an  authorized  request); 

■  Strength  of  default  (out-of-the-box) 
defenses; 

■  Power  and  ease-of-leam  mode; 

■  Types  of  vulnerabilities  it  can  prevent; 

■  Ability  to  keep  individual  users  con¬ 
strained  to  exactly  what  they  have  seen 
in  the  current  session; 

■  Ability  to  be  configured  to  prevent 
specific  problems,  such  as  emergency 
patches; 

■  Form  factor:  software  versus  hardware 
(hardware  generally  preferred). 

Prime  Considerations 

WAFs  versus  source-code  scanning.  WAFs 
protecting  applications  in  real  time  (rather 
than  fixing  them)  has  ignited  criticism  in 
the  past.  Some  vendors  are  wary  of  the 

Agrowing  consensus 
seems  to  be  that, 
implemented 
correctly,  WAFs  can 
serve  as  an  important 
part  of  a  layered 
security  model, 
as  they  provide 
protection  while  you 
repair  application 
vulnerabilities 


term  “WAF,”  preferring  instead  “applica¬ 
tion  awareness”  or  “application-layer  intel¬ 
ligence,”  Kelley  says.  Today,  however,  a 
growing  consensus  seems  to  be  that,  imple¬ 
mented  correctly,  WAFs  can  serve  as  an 
important  part  of  a  layered  security  model, 
as  they  provide  protection  while  you  repair 
application  vulnerabilities. 

As  Jeremiah  Grossman,  founder  of 
WhiteHat  Security,  points  out  on  his  blog 
jeremiahgrossman.blogspot.com/2009/04/ 
disagree-with-concept-or-implementation 
.html,  there  are  far  too  many  vulnerabilities 
to  keep  up  with  remediating  them  in  the 
code  itself.  He  advocates  that  vulnerabilities 
found  through  an  assessment  be  imported 
as  customized  rules  into  a  WAF,  providing 
an  option  to  mitigate  now  and  remediate 
the  source  of  the  problem  later. 

Gartner,  on  the  other  hand,  advises  cus¬ 
tomers  to  consider  techniques  for  removing 
application  vulnerabilities.  “Before  you 
spend  your  first  dollar,  consider  whether 
you’re  in  a  position  to  remove  vulnerabili¬ 
ties  through  a  stronger  system  develop¬ 
ment  lifecycle  and  by  using  tools  such  as 
source-code  scanners,”  Young  says.  WAFs 
are  useful  for  applications  that  are  difficult 
or  impossible  to  change,  or  those  that  are 
very  dynamic,  he  says. 

For  most  companies,  it’s  sufficient  to 
choose  one  or  the  other  approach,”  he  says, 
although  there  is  a  small  percentage  of 
companies  whose  risk  tolerance  is  so  low 
that  they’ll  want  to  use  both. 

Hardware  appliance  versus  software. 
For  Jack  Nelson,  IT  director  of  global  net¬ 
work  services  and  operations  at  Jarden 
Consumer  Solutions,  a  big  reason  for 
choosing  the  Check  Point  Software  Tech¬ 
nologies  VPN-i/Fire Wall-l  gateway  with 
integrated  Web  intelligence  technology 
was  that  it  was  available  in  both  configura¬ 
tions.  Jarden  has  remote  offices  that  are  not 
staffed  by  IT  workers,  so  Nelson  uses  the 
software-based  version  to  make  it  simple 
for  office  managers  to  reconfigure  any  PC 
to  become  a  WAF  if  the  existing  WAF  goes 
down.  “It’s  a  lot  more  flexible  than  having 
to  purchase  a  second  firewall,  and  it’s  less 
expensive  than  paying  for  quick- response 
maintenance,”  he  says.  The  interface  is  sim¬ 
ple  enough  that  it  doesn’t  require  a  firewall 
expert,  he  says,  and  licensing  is  key-based, 
so  you  can  apply  it  remotely. 

In  a  couple  of  small  offices  in  North 


America,  Nelson  uses  the  Check  Point 
appliance  because  he  finds  it  more  manage¬ 
able  and  support  is  more  available. 

inline  or  out-of-band  deployment.  It’s 
critical  to  decide  up  front  whether  you  plan 
to  deploy  the  WAF  inline  or  out-of-band,  as 
not  all  WAFs  support  both  modes.  “I  often 
see  short  lists  that  consist  of  products  with 
different  deployment  modes,  or  lists  where 
none  of  the  products  would  support  the 
design  being  envisioned,”  Young  says. 

DO’s  and  DON’Ts 

DO  understand  the  difference  between 
stand-alone  and  integrated  products.  It’s 
important  to  understand  the  difference 
between  vendors  that  incorporate  WAF 
capabilities  into  their  existing  application 
delivery  and  network  security  products 
versus  those  that  specialize  in  application 
security.  Deciding  which  is  right  for  you 
depends  on  many  factors,  including  what 
you’ve  got  installed  already,  the  level  of 
security  you  need  and  whether  you’re  more 
comfortable  with  specialized  products  or 
those  with  broad  functionality. 

Krikken  notes  that  products  focusing 
on  application  delivery  need  to  perform 
at  wire  speeds  and  thus  don’t  include 
compute-intensive  capabilities  such  as 
learning  engines  and  session  awareness. 
“They’re  very  much  limited  to  black-listing 
and  white-listing  and  inbound/outbound 
inspection,”  he  says.  Learning  engines 
enable  the  WAF  to  learn  the  behavior  of 
an  application  and  generate  policy  recom¬ 
mendations.  Session  awareness  enables  the 
WAF  to  build  dynamic,  session-based  rules 
in  real  time  and  use  those  to  determine 
whether  subsequent  requests  are  valid. 

For  Nelson,  who  is  using  Check  Point’s 
integrated  product  for  the  company’s  vir¬ 
tual  private  network  and  external  Web 
applications,  it  was  important  that  the 
product  handle  a  breadth  of  security  com¬ 
ponents  rather  than  an  application-specific 
firewall.  “We  wanted  the  ability  to  con¬ 
solidate  functionality  without  sacrificing 
performance  and  manageability,”  he  says. 
Meanwhile,  at  automotive  parts  supplier 
AutoAnything.com,  which  is  using  Breach 
Security’s  stand-alone  WAF  to  secure 
e-commerce,  CTO  Parag  Patel  takes  the 
opposite  approach.  “It’s  rare  that  one  com¬ 
pany  can  do  a  lot  of  things  well,”  he  says. 

DON’T  consider  the  WAF  a  silver  bullet. 


22  www.csoonline.com  June  2009 


Understanding  WAFs 


WAF  offerings  vary  greatly,  and  most  products  have  one  or 
more  niche  problems  they  address.  One  way  to  understand 
the  market  is  to  segment  it  into  three  basic  categories: 


SEGMENT 

REPRESENTATIVE  VENDORS 

INTEGRATED:  Products  in  this  category  are  add-on  modules 
to  an  existing  non-WAF  product  that  is  focused  on  either 
application  delivery  (load  balancing,  caching,  acceleration) 
or  network  security.  Some  vendors  (marked  with  an  asterisk 
below)  also  offer  their  product  as  a  stand-alone  WAF. 

F5,  Radware,  Citrix, 

Checkpoint,  IBM 

STAND-ALONE  NETWORK-BASED:  Products  in  this 
category  are  separate  systems  on  the  network  and  can 
be  deployed  as  an  inline  bridge  or  gateway.  Breach  and 

Imperva  also  offer  an  out-of-band  option.  Many  offer  non¬ 
core  WAF  functionality,  such  as  Web  services  security. 

Armorlogic,  Barracuda  Networks, 
Bee  Ware,  Breach  Security,  Cisco, 
Citrix*,  Deny  All,  F5*,  Imperva, 
ModSecurity,  Phion,  Protegrity 

STAND-ALONE  HOST-BASED:  These  WAFs  are  modules  that 
operate  on  a  Web  or  application  server,  or  as  an  individual 
application.  ModSecurity  can  also  be  implemented  as  a  network- 
based  WAF  (through  Breach  Security).  This  segment  is  at  the 
edge  of  what  most  would  consider  to  be  the  WAF  market. 

Applicure  Technologies,  eEye 

Digital  Security,  Fortify  Software, 
FMT  Worldwide,  ModSecurity 

*  This  is  an  additional  deployment  model  for  the  integrated  WAF  product. 


Source:  Burton  Group 

Many  companies  are  turning  to  WAFs  for 
PCI  compliance.  However,  analysts  warn 
against  seeing  a  WAF  as  a  check-off  item. 

“I  see  a  lot  of  mistakes  and  bad  spending 
going  on,”  Young  adds.  “People  think,  ‘If 
we  buy  a  firewall,  the  auditors  will  go  away,’ 
but  that’s  not  good  enough  in  this  area.  You 
have  to  customize  your  application  defense 
to  fit  your  environment.” 

DO  look  beyond  traditional  WAF  func¬ 
tionality.  While  the  traditional  WAF  cus¬ 
tomer  is  the  security  team,  many  products 
are  becoming  attractive  to  a  wider  audi¬ 
ence,  thanks  to  analysis  features,  single¬ 
sign-on  support  and  integration  with  Web 
services  security,  Krikken  says.  That’s  why 
he  advises  that  WAF  evaluation  should 
include  those  responsible  for  enterprise 
architecture,  application  delivery  and 
software  development.  “This  will  improve 
confidence  in  the  security  aspects  of  the 
solution,  as  well  as  alleviate  availability  and 
performance  concerns,”  he  says. 

At  a  global  energy  company,  in  fact, 
the  decision  to  use  a  WAF  followed  the 
need  for  a  security  service  for  the  compa¬ 
ny’s  service-oriented  architecture  (SOA) 
implementation.  The  chief  architect  at  the 
company  decided  on  the  Reactivity  XML 
accelerator  security  device,  which  was  later 
bought  by  Cisco  Systems,  which  turned  it 
into  the  ACE  WAF.  When  the  energy  com¬ 


pany  determined  that  it  needed  an  Internet¬ 
facing  WAF,  Cisco  assured  it  that  it  could 
double-up  on  the  use  of  ACE  for  both  its 
internal  SOA  needs,  as  well  as  for  securing 
its  Web  applications. 

DO  consider  the  WAF  for  performance 
monitoring.  Application  monitoring  is  one 
nontraditional  use  for  WAFs  that’s  growing 
in  popularity,  as  WAFs  are  able  to  detect 
performance  issues  or  whether  the  appli¬ 
cation  is  serving  up  error  pages  because  of 
broken  links. 

DON’T  think  it’s  set-and-forget.  While 
you  can  use  out-of-the-box  blacklist  rules 
for  basic  security,  Krikken  says,  be  pre¬ 
pared  to  invest  ongoing  time  and  effort  for 
all  but  the  most  simple  Web  applications. 
“Even  with  rule  templates  and  learning 
engines,  initial  tuning  and  ongoing  custom¬ 
ization  will  often  be  required  to  optimize 
effectiveness  and  reduce  false  positives,” 
he  says. 

At  the  global  energy  company,  the  chief 
architect  says  his  company  was  able  to 
configure  one  use  case  in  two  hours  with 
the  Cisco  WAF.  However,  he  would  like 
more  best  practices  guides  for  configuring 
things  like  character  filtering  “rather  than 
us  scrambling  to  do  this.” 

DO  consider  a  learning  engine  feature. 
With  a  learning  engine,  the  WAF  learns 
about  applications  so  it  can  create  and 


even  enforce  rules.  In  very  dynamic  envi¬ 
ronments,  Krikken  says,  it’s  better  for  the 
WAF  to  alert  you  to  aberrant  behavior  than 
block  it. 

Patel  uses  Breach’s  learning  engine, 
which  he  says  profiled  Web  applications 
over  a  couple  of  months.  During  that  time,  it 
flagged  irregular  behavior,  which  his  team 
reviewed.  “You  need  a  certain  level  of  com¬ 
fort  that  it’s  going  to  make  the  right  deci¬ 
sions,”  he  says.  Over  time,  however,  Patel 
wanted  automated  blocking.  “With  the 
amount  of  traffic  we  get  on  the  site,  it’s  key 
that  the  WAF  recognizes  irregularities  and 
shuts  down  those  attempts  while  they’re 
happening,  rather  than  later  on,”  he  says. 

For  instance,  the  WAF  now  stops  com¬ 
petitors  from  scraping  product  data  from 
the  website,  which  includes  millions  of 
SKUs,  as  well  as  pricing  information.  “If 
we  see  someone  is  checking  data  weekly  or 
monthly,  that  represents  a  huge  loss  of  com¬ 
petitive  intelligence,”  Patel  says. 

DO  consider  enterprise-level  capabili¬ 
ties.  Jarden’s  Nelson  chose  Check  Point’s 
product  in  part  for  its  enterprise-level 
console,  which  provided  centralized  man¬ 
agement  for  all  of  Jarden’s  firewalls.  He 
particularly  likes  that  he  can  group  the 
firewalls  into  what’s  called  “containers” 
and  apply  different  policies  within  those 
containers. 

Meanwhile,  the  security-messaging 
engineer  at  a  nutritional  supplements 
manufacturer  says  a  big  advantage  of  the 
Barracuda  system  he  uses  is  its  scalability. 
The  company’s  main  motivation  for  a  WAF 
was  to  provide  a  secure  Web  mail  interface 
to  users  who  wanted  to  access  e-mail  from 
around  the  world.  It  also  uses  it  to  protect 
against  application-layer  attacks. 

The  security  engineer  wanted  to  provide 
users  with  a  single  URL  to  access  e-mail  no 
matter  where  they  were,  and  he  wanted  to 
be  able  to  scale  up  the  system  without  inter¬ 
ruption.  Because  he  can  add  an  additional 
WAF  appliance  without  giving  it  a  new 
IP  address,  it’s  transparent  to  users.  “If  it 
starts  being  overloaded,  all  we  have  to  do 
is  get  another  one,  put  in  a  rack,  cluster  it 
with  this  one  and  we’ve  got  twice  as  much 
capacity,”  he  says.  ■ 


Mary  Brandel  is  a  freelance  writer.  Send 
feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


June  2009  www.csoonline.com  23 


Risk  and 

Reward 


Security’s  stock  is 
moving  opposite  the 
world  economy.  Will 
it  last?  By  Derek  Slater 


While  the  economy 
is  in  the  tank, 

CSOs  report 
that  security’s  stock  is  still  rising. 

And  perhaps  that’s  not  a  coinci¬ 
dence.  The  CEOs  and  CFOs  of  the  world 
are  more  attuned  to  risk  than  ever,  say 
respondents  to  our  exclusive  annual 
“State  of  the  CSO”  survey.  More  organiza¬ 
tions  report  having  security  policies  and 


processes  in  place.  The  CSO  role  itself 
is  viewed  as  an  ever-more  strategic  and 
permanent  part  of  corporate  leadership. 
As  a  result,  CSOs  report  higher  overall 
job  satisfaction  than  last  year. 

That’s  not  to  say  that  everything  is  all 
roses  and  chocolate.  Security  awareness 
among  everyday  employees  remains  chal 
lenged— just  over  a  third  of  respondents 
say  line-of-business  employees  consider 
security  part  of  their  responsibilities. 

•;  >  And  some  other  stats  raise  an  inter¬ 
esting  question:  In  this  time  of  relative 


favor,  is  security  laying  the  groundwork 
necessary  to  keep  its  funding  and  atten¬ 
tion  when  the  economy  turns  around? 
Around  half  of  the  respondents  say  they 
use  no  financial  methodology  for  measur¬ 
ing  the  value  or  contribution  of  security 
expenses.  Similarly,  half  say  they  use 
no  formal  enterprise  risk  management 
process  that  extends  beyond  traditional 
stovepipes.  * 

Derek  Slater  is  Editor  in  Chief of  CSO. 

Reach  him  at  dslater@cxo.com. 


A  Happy  Place 

Job  satisfaction  among  security  leaders  is  up, 
and  organizational  leadership  is  more  attuned 
to  security  issues  than  in  recent  years. 

Respondents  who  are  very  satisfied  or 
somewhat  satisfied  with  the  following: 


2009 

2008 

Your  job  overall 

82% 

74% 

Your  organization’s  support  for  security 

65% 

65% 

Quality  of  products  offered  by  security  vendors 

62% 

50% 

Quality  of  services  offered  by  security  vendors 

54% 

46% 

Quality  and  relevance  of  standards  and  guidelines 

68% 

56% 

A  Tough  Nut  to  Crack 


Respondents  who  agree  or  strongly  agree  that 
senior  management  views  the  security  leader’s 
role  as  strategic  and  permanent: 

2009  70% 

2008  64% 

2004  17% 

In  the  past  twelve  months,  has  leadership  placed 
more,  less  or  the  same  value  on  risk  management? 

More  value  50% 

No  change  46% 

Less  value  4% 


Employees  outside  of  the  security  department 
get  more  security  training  than  they  did  in  2004, 
but  respondents  still  aren’t  wildly  optimistic  that 
those  employees  build  security  into  their  day- 
to-day  decisions.  (Anybody  shocked?) 

Respondents  who  agree  or  strongly  agree 
with  the  following  statements: 

All  employees  receive  training  in  all  security  policy  topics.  59% 

All  employees  are  trained  in  the  consequences 
of  a  public  security  breach.  54% 

All  employees  consider  security  a  part  of 
their  daily  responsibilities.  38% 


Big  and  Little? 

The  often-cited  gap  between  security  practices  at  bigger 
companies  and  smaller  ones  is  wide  in  places  and, 
surprisingly,  in  one  place  reversed.  Might  that  suggest 
that  bigger  companies  can  be  overly  reliant  on  policy  and 
smaller  ones  more  focused  on  operational  decisions? 

Respondents  who  agree  or  strongly  agree 
with  the  following  statements: 

Senior  management  has  established  a  security 
policy  and  auditing  process: 

Big  87% 

Midmarket  62% 

All  managers  in  the  organization  understand 
their  roles  in  regard  to  security: 

Big  39% 

Midmarket  28% 

Security  considerations  are  a  routine  part  of 
your  organization’s  business  processes: 

Big  63% 

Midmarket  72% 

Note:  “Big”  respondents  report  $1B  revenues  or  more. 

“Midmarket”  respondents  have  revenues  between  $100M  and  $1B. 


The  Numbers  Game 

No  question  about  it:  Financial  methodologies 
are  hard  to  apply  to  security  expenses. 

However,  very  little  is  done-or  spent-in  the 
corporate  world  without  measurement.  While  none  of 
the  following  methodologies  is  perfect,  some  would 
argue  that  security  jeopardizes  its  standing  by  failing 
to  present  a  rigorous  examination  of  its  spending. 

Which  of  the  following  methods  and  calculations  do 
you  apply  in  the  security  budgeting  process? 

Return  on  investment  38% 

Total  cost  of  ownership  34% 

Annual  loss  expectancy  17% 

Net  present  value  11% 

Economic  value  added  9% 

No  formal  financial  methodology  50% 

(Multiple  selections  allowed) 

Does  your  organization  use  a  formal  enterprise  risk  management 
process  or  methodology  that  incorporates  multiple  types  of  risk? 

Yes  46% 

No  54% 


About  the  Survey 
and  Respondents 

Qualified  respondents 
were  invited  by  e-mail  to 
take  the  2009  “State  of  the 
CSO”  survey  this  spring. 

The  survey  instrument 
was  completed  online. 


The  256  respondents 
represented  a  variety  of 
industries,  the  largest  being: 

Government,  nonprofit 
and  education  23% 

Financial  services  20% 

High-tech,  telecom  and  utilities  17% 
Healthcare  11% 

Manufacturing  9% 


Respondents  report  involvement  Fraud  prevention  73% 
in  activities  including:  Assets/facilities  security  72% 

information  security  95%  Personnel  security  60% 

Business  continuity  92% 

Security-related  audit  90% 

Privacy  89% 

Intellectual  property  protection  84% 

Investigations  81% 


Illustration  by  Stephen  Webster 


June  2009  www.csoonline.com  25 


CSO: 

Future 

Tense 

From  incident  reaction  to 
proactive  risk  assessment, 
the  CSO  role  has  evolved 
dramatically  in  the  last 
few  years.  Next  stop:  new 
services  and  business 
operations  intelligence. 

By  Joan  Goodchild 


t’s  been  almost  15  years  since  David  Kent  first  came 
to  Genzyme,  a  biotech  firm  headquartered  in  Cam¬ 
bridge,  Mass.,  that  develops  medical  treatments  for  ail¬ 
ments  such  as  certain  genetic  diseases  and  some  forms 
of  cancer.  In  1994,  the  company  had  less  than  $200  mil¬ 
lion  in  sales,  and  only  about  1,000  employees— a  stark 
contrast  to  its  worldwide  workforce  of  11,000  today 


and  the  $4.6  billion  in  revenue  it  reported  in  2008. 

Kent’s  first  experience  with  Genzyme  was  as  a  consultant.  The 
company  had  lost  some  of  its  intellectual  property  through  a  theft, 
and  Kent— then  working  for  Bolt  Beranek  and  Newman  as  a  secu¬ 
rity  manager— was  called  in  to  help  evaluate  the  situation.  His 
work  with  the  firm  grew  into  a  job  offer  to  be  Genzyme’s  director 
of  security.  The  goal  was  to  have  someone  aboard  with  an  intense 
focus  on  the  security  position  of  the  organization  to  prevent  other 
thefts  from  occurring. 

“At  that  time,  I  think  there  were  about  nine  different  card  access 
systems.  One  person  was  handling  their  voice  and  data  and  their 
office  services,”  says  Kent.  “It  was  an  organizational  design  reflec¬ 


tive  of  a  rapidly  growing  business.  There  was  no  thought  put  into 
security,  it  was  a  lower  priority.  It  was  sort  of  a  barren  landscape 
from  my  viewing.” 

His  first  project  was  to  look  at  the  situation  around  laboratory 
and  notebooks  in  order  to  ensure  there  would  not  be  a  repeat  theft 
incident.  After  that,  he  moved  on  to  assessing  the  physical  security 
of  the  building  and  addressing  the  multiple  card  reader  situation 
by  implementing  a  single  card  solution.  Kent  and  his  team  began 
pushing  for  security  standards  around  the  corporation,  slowly 
picking  away  at  information  systems  security  challenges  as  well. 
It  was  a  forge-ahead  and  forward-thinking  philosophy  for  security 
that  had  not  been  seen  before  in  the  firm. 

“Left  to  its  own  devices,  we  wouldn’t  have  the  program  we  have 
today.  We  would  have  separate  silos.  There  had  to  be  someone  in 
the  organization  to  drive  this  stuff.” 

As  the  company  grew,  more  emphasis  was  placed  on  security. 
But  it  was  the  Bio  International  Exposition  held  in  Boston  in  2000 
that  gave  Kent  the  perfect  opportunity  to  show  how  his  depart¬ 
ment  could  go  beyond  reactive  protection  to  proactive  security. 


26  www.csoonline.com  June  2009 


yy 


LEADERSHIP 


•  2009 

STATE 


cso 


‘Initially  the 
job  was  very 
operational 
and  infosec- 
focused...  Now 
I’m  trying  to 
get  out  there 
and  say,  ‘This  is 
more  man  just 
technology’; 


-BETH  CANNON,  CSO, 
THOMAS  WEISEL 
PARTNERS 


“It  was  the  first  major  East-coast  meeting  following  WTO  [the 
World  Trade  Organization  meeting]  in  Seattle.  The  members  of  the 
Genzyme  senior  management  team  were  the  chairs  for  the  meeting 
in  Boston.  We  were  asked  to  coordinate  security  around  the  meet¬ 
ing.  There  were  about  14,000  people  expected  in  for  this  event,  and 
demonstrators  could  shut  down  the  show.” 

Kent  says  for  several  months  he  talked  with  area  law  enforce¬ 
ment  agencies  and  other  companies  that  might  be  targeted  for 
demonstration  and  urged  them  to  prepare.  By  the  time  the  event 
arrived,  Genzyme  security  officials  had  coordinated  the  work  of 
80-plus  agencies  and  was  holding  regular  meetings  with  multiple 
organizations. 

On  the  opening  day  of  the  expo,  3,200  demonstrators  turned  out 
in  front  of  the  hall.  Their  presence,  according  to  Kent,  was  unevent¬ 
ful;  exactly  what  he  hoped  for. 

“Nothing  happened,”  he  says.”  So  we  got  tremendous  visibility 
for  that.  When  bad  things  happen,  you’ve  got  to  have  the  ability  to 
have  a  good  response.  Those  are  the  things  they  remember.” 

Soon  after  the  event,  Kent  was  elevated  to  vice  president  of  secu¬ 


rity.  The  promotion,  he  says,  marked  the  official  beginning  of  the 
security  group  operating  under  a  CSO  model. 

A  SKILL  SET  BEYOND  SECURITY 

KENT’S  EXPERIENCE  AT  Genzyme  is  familiar  at  organizations 
around  the  world  that  have  decided  to  place  a  top  security  officer, 
a  CSO  or  a  CISO,  to  be  the  key  point  of  responsibility  for  a  com¬ 
pany’s  security.  We’ve  seen  this  position  increase  in  numbers  for 
more  than  a  decade  now.  But  as  it  has  grown,  so  has  the  expecta¬ 
tion  of  organizations  who  are  hiring  CSOs.  As  security  programs 
become  more  robust  and  sophisticated,  so,  too,  do  the  expectations 
of  companies  who  have  a  top  security  officer  in  place.  CSOs  are 
now  expected  to  expand  their  skill  set:  Those  with  technical  back¬ 
grounds  must  understand  facets  of  regulation,  compliance,  secu¬ 
rity  and  risk  beyond  the  data  center.  CSOs  from  a  physical  security 
career,  such  as  law  enforcement  or  the  military,  must  also  have  an 
understanding  of  information  systems  and  the  threats  posed  to 
their  organization’s  data  assets  beyond  just  the  facilities  they  are 
housed  in. 


June  2009  www.csoonline.com  27 


[2009  n 

STATE  I 

of  the  I 

cso  J 


LEADERSHIP 


It  is  an  evolution  that  was  expected  among  industry  analysts 
when  the  first  CSO  roles  began  appearing  in  corporations.  Much 
like  how  the  role  of  the  CIO  has  changed,  it  was  inevitable  that 
CSOs  would  have  the  same  experience. 

“They,  of  course,  share  the  same  problem  that  CIOs  have  tra¬ 
ditionally  faced,”  says  Paul  Saffo,  a  Stanford  University  professor, 
forecaster  and  essayist  with  a  focus  on  long-term  technological 
change  and  its  impact  on  business.  “CIOs  have  been  the  Rodney 
Dangerfields  of  management.  ‘I  don’t  get  any  respect,’  because 
their  work  is  so  arcane.  The  other  XOs  never  understood  it,  or 
even  tried,  until  recently.  CIOs  are  moving  past  this  stage  slowly, 
but  I  think  the  CSOs  are  still  hitting  this.” 

However,  while  corporate  perception  of  the  CSO  role  is  still 
unfolding,  the  job  has  some  history  to  it,  and  recruiters  and  hiring 
managers  are  becoming  sawier  about  what  they  want  in  a  security 
executive,  according  to  Tracy  Lenzner,  CEO  of  The  Lenzner  Group, 
an  executive  recruitment  firm  specializing  in  security. 

“Clients  are  getting  more  sophisticated  in  what  they  are  looking 
for  and  what  they  need,”  says  Lenzner.  “Now  we  are  in  the  second 
and  third  generation  of  these  roles.  Some  companies  are  looking 
at  these  areas  for  the  first  time,  but,  by  and  large,  companies  are 
filling  roles  for  people  who  had  been  there  previously.” 

FROM  TECHIE  TO 
BUSINESS  EXECUTIVE 

IN  THE  EARLY  days,  information  security  professionals  were 
viewed  as  two  things,  according  to  Steve  Katz. 

“Highly  technical,  and  the  people  who  consistently  said  no,” 
he  says. 

Katz,  considered  by  many  to  be  the  first  person  to  hold  a  chief 
information  security  officer  position,  began  to  debunk  the  notions 
around  information  security  when  he  was  recruited  in  1995  by 
Citicorp  (now  Citigroup).  The  company  hired  Katz  after  a  hacker 
broke  into  Citibank’  cash  management  system  and  siphoned  $10 
million  into  his  own  accounts.  Much  of  the  money  was  not  recov¬ 
ered.  The  theft  brought  information  security  to  the  forefront  for 
Citibank,  and  the  company  wanted  someone  to  minimize  the  risk 
that  such  a  breach  would  occur  again.  Katz’s  CISO  title  was  cre¬ 
ated  by  a  board  headed  by  former  Citicorp  CEO  John  Reed. 

“His  view  was:  Let’s  bring  a  business  perspective  to  informa¬ 
tion  security,”  says  Katz.  “[Reed]  said,  ‘Citicorp  sells  two  things: 
money  and  trust.’  As  security,  we  were  there  to  help  them  deliver 
on  the  trust  component.” 

Katz  says  he  spent  much  of  his  first  year  traveling  to  meet  with 
Citi  executives  around  the  world.  His  mission  was  to  put  a  face  on 
security  and  figure  out  what  needed  to  be  done  to  protect  the  com¬ 
pany.  He  asked  executives,  “Do  you  care  about  who  you  transact 
with?  Who  are  your  customers?” 

“Technology  wasn’t  part  if  it,”  says  Katz.  “It  was  simply,  ‘Do  you 
care  about  keeping  information  confidential  and  private.” 

In  turn,  Katz  began  to  introduce  concepts  such  as  identity,  and 
company  officials  began  “shaking  their  heads  and  saying  ‘Yeah, 
that  makes  sense,”’  says  Katz. 

Katz,  who  now  runs  his  own  consultancy,  continues  to  meet 
with  CSOs  and  CISOs  and  does  some  mentoring  as  well.  When  he 
is  giving  career  advice,  he  urges  up-and-coming  security  profes¬ 


sionals  to  hone  their  understanding  of  business  and  risk  if  they 
want  to  be  successful  in  today’s  corporate  climate. 

“The  role  is  becoming  a  technical-  and  business-risk  effort 
much  more  than  it  is  viewed  as  a  security  role.  The  requirement  to 
work  with  business  professionals  is  probably  the  greatest  hurdle 
security  professionals  have  to  face.  If  you  aren’t  at  home  working 
with  people  at  the  executive  level  of  a  corporation,  you  will  be  rel¬ 
egated  to  a  much  smaller  role  in  the  company.” 

THE  CSO  OF  THE  FUTURE 

TO  PROJECT  FUTURE  developments  in  the  CSO  role,  it’s  useful 
to  look  a  bit  deeper  at  the  CIO  position,  arguably  the  most  recent 
to  make  a  transformation  from  corporate  support  player  to  a  more 
elevated  executive  spot.  (Though  not  the  first;  recall  that  CFOs, 
before  they  became  strategists  focused  on  shareholder  value, 
were  simply  accountants.)  The  challenge  for  CSOs,  says  Saffo,  is 
to  find  ways  to  demonstrate  their  effectiveness  beyond  their  core 
protective  mission.  He  believes  going  to  the  next  step  will  require 
CSOs  to  do  what  CIOs  have  managed  to  do  over  the  last  decade. 
That  is,  move  from  a  support/infrastructure  role,  to  a  central  role 
in  enhancing  productivity  and  effectiveness  around  a  company’s 
core  mission. 

That  is  the  hope  of  Beth  Cannon,  CSO  with  Thomas  Weisel 
Partners,  an  investment  bank  and  broker-dealer  based  in  San 
Francisco.  Cannon  has  been  with  the  company  from  its  beginning 
in  1999,  taking  on  the  CSO  role  in  2004.  Prior  to  her  promotion,  she 
was  responsible  for  engineering  and  infrastructure  that  included 
the  operations  of  the  server  and  the  network  side  of  things. 

“I  had  always  had  some  level  of  security  under  me  related  to 
compliance  and  the  network,”  she  says.  “When  regulations  started 
increasing,  the  CIO  said,  ‘I  think  we  need  someone  to  focus  on 
these  things.’  That’s  how  my  role  was  bom  in  company.” 

In  five  years,  the  role  has  clearly  changed,  says  Cannon.  The 
company  began  doing  international  business,  and  Cannon  then 
had  to  learn  about  compliance  rules  in  several  other  nations  in 
addition  to  the  United  States.  The  company  also  went  public 
in  2006. 

“Initially  the  job  was  very  operational  and  infosec-focused  in 
the  respect  that  we  had  to  get  our  patching  stuff  up  to  date,  our 
network  activity  logged,”  she  says.  “We  had  to  get  several  things 
in  place  in  order  to  have  a  better  handle  on  what  was  going  on 
outside  of  the  network.” 

Now,  according  to  Cannon,  she  feels  that  many  of  the  protective 
measures  she  put  in  place  at  the  start  of  her  tenure  have  become 
operational.  Things  that  had  to  be  taken  care  of  in  the  beginning 
are  just  business  as  usual  now.  That  has  given  her  a  chance  to  put 
more  time  into  finding  ways  for  security  not  only  to  protect,  but 
also  to  add  value  to  the  organization.  A  primary  focus  now  is  busi¬ 
ness  continuity,  she  says.  The  recent  swirl  of  concern  around  the 
swine  flu  pandemic  helped  bring  the  issue  to  the  top  of  mind  for 
executives. 

“Now  I’m  trying  to  get  out  there  and  say,  ‘This  is  more  than  just 
technology’.  Let’s  talk  about  what  you  are  going  to  do  with  your 
personnel.” 

Another  focus  now  is  data  classification.  Cannon  says  she 
hopes  her  efforts  will  give  security  a  seat  at  the  executive  table  as 


28  www.csoonline.com  June  2009 


she  demonstrates  the  value  that  the  department  brings  to  future 
compliance  and  regulation  efforts  in  the  firm.  Slowly,  she  says, 
she  is  pushing  past  that  perception  that  security  is  merely  a  cost 
center,  demonstrating  its  importance  to  the  future  mission  of 
the  company. 

Just  as  social  networking  sites  and  other  Web  2.0  applications 
have  combined  existing  platforms  to  create  a  new  way  for  users  to 
communicate  with  each  other,  CSOs  will  need  to  combine  knowl¬ 
edge  of  several  aspects  of  business  in  order  to  effectively  assess 
risk  and  communicate  with  executive  management,  according 
to  Eric  Domage,  an  information  security  analyst  with  IDC  who 
focuses  primarily  on  Western  Europe.  Domage  recently  spoke  at 
a  risk  management  conference  about  his  vision  of  the  duties  for 
CSO  2.0. 

Personal  and  communication  skills  are  crucial  for  CSO  2.0  (a 
need  that’s  been  reflected  in  the  “State 
of  the  CSO”  survey  results  for  years: 

Respondents  in  2003  named  communi¬ 
cation  as  the  most  critical  skill  for  suc¬ 
cess).  While  many  security  directors 
may  have  come  into  their  roles  with  a 
primary  focus  on  one  security  concen¬ 
tration  with  little  focus  or  communica¬ 
tion  elsewhere  in  the  organization,  they 
will  now  be  required  to  work  with  many 
others  throughout. 

Those  who  cannot,  won’t  have  a 
future,  according  to  Tim  Williams, 
director  of  global  security  at  Caterpillar, 
the  world’s  largest  maker  of  construc¬ 
tion  and  mining  equipment,  diesel  and 
natural  gas  engines  and  industrial  gas 
turbines.  Williams  likens  the  changing 
landscape  to  a  game  of  musical  chairs. 

“The  music  has  stopped  and  the 
people  who  are  able  to  get  the  chairs 
today  and  in  the  future  are  the  ones  who 
really  do  have  the  business  context  and 
outlook.” 

Williams,  a  professional  with 
decades  of  experience  in  security  roles 
with  companies  such  as  Proctor  &  Gam¬ 
ble,  Boise  Cascade  and  Nortel,  sat  on 
the  board  of  ASIS  International,  which 
first  put  together  an  official  definition  of 
a  CSO  five  years  ago.  Today,  Williams  defines  the  role  as  one  of 
enterprise  security  risk  management. 

“The  CSO  who  has  put  together  a  cohesive  strategy  for  the 
industry  and  the  culture  in  which  they  work  are  probably  the  ones 
surviving  this  economic  downturn,”  notes  Williams.  “They  have 
the  ability  to  explain  what  the  security  process  is,  link  it  to  the 
business  and  show  the  value.” 

Williams  believes  that  CSOs  and  CISOs  will  need  to  be  able  to 
come  to  the  table  armed  with  knowledge  around  the  risk  to  the 
enterprise  they  work  in  from  a  security  standpoint  and  be  able  to 
put  that  in  a  business  context  that  can  foresee  the  economic  impact 


and  the  frequency  or  likelihood  of  a  risk  event  to  occur.  He  also 
speaks  passionately  about  the  need  for  an  effective  security  leader 
to  work  well  as  part  of  a  team.  He  credits  much  of  the  success  he 
has  experienced  so  far  at  Caterpillar  with  the  strong  dynamic 
between  members  of  his  security  department. 

Williams  concurs  that  the  job  of  the  new  CSO  is  to  be  an  execu¬ 
tive  with  a  security- functional  expertise.  But  how  the  CSO  engages 
and  puts  risk  context  into  the  business  is  an  art  and  a  science  that 
each  CSO  will  need  to  master  to  gain  the  respect  Saffo  referred  to 
previously.  It  will  take  as  thorough  an  understanding  of  a  compa¬ 
ny’s  product  line  and  economic  drivers,  in  addition  to  risks.  And 
it  will  likely  mean  knowing  how  to  make  the  case  for  investment 
with  limited  resources.  Williams  believes  that  the  number  of  secu¬ 
rity  executives  who  hold  MBA  degrees  will  continue  to  grow  in 
the  future. 

“You  have  got  to  develop  a  cohesive, 
understandable,  clear  strategy  for  how 
you  are  spending  the  company’s  money 
and  what  risks  you  are  addressing  as 
a  result  of  that  spend,”  says  Williams. 
‘The  pressure  will  now  be  on  the  ability 
to  logically  and  cohesively  defend  and 
advocate  for  dollars.  It  is  a  critical  skill 
set  we  better  have,  or  we  are  in  trouble.” 

And  for  those  who  do  have  the  nec¬ 
essary  skills?  A  walk  through  the  halls 
of  Genzyme  today  might  offer  a  glimpse. 
CSO  toured  the  facility  recently  and  had 
a  chance  to  see  Kent’s  state-of-the-art 
program  that  approaches  security  with 
an  “all-hazards”  view  of  risk.  It  includes 
an  impressive  monitoring  room  where 
staff  members  assess  potential  real¬ 
time  risks  to  the  company,  looking  at 
data  from  all  over  the  world. 

Such  an  all-encompassing  view 
isn’t  confined  to  a  basement  operations 
center.  Earlier  this  year,  Genzyme  com¬ 
bined  security,  risk  management,  com¬ 
petitive  and  technical  intelligence  under 
a  single  purview  and  changed  Kent’s 
title  to  vice  president  of  global  risk  and 
business  resources.  Vastly  different 
from  his  early  days  with  the  company 
as  a  security  professional  brought  in  to 
react  to  a  negative  event,  Kent  now  takes  a  seat  at  the  table  with 
other  executives  in  the  company  to  discuss  security  strategy  and 
risk  assessment. 

He  is  optimistic  that  this  group  will  prove  not  merely  reactive, 
but  will  grow  in  its  ability  to  provide  business  intelligence. 

“We  are  leveraging  obvious  synergies  between  the  groups,” 
says  Kent.  “The  interesting  work,  though,  will  be  discovering 
new  connections  and  building  the  resulting  services  that  we  don’t 
know  about  today.”  ■ 


Reach  Senior  Editor  Joan  Goodchild  at  jgoodchild@cxo.com. 


“The  interesting  work 
will  be  building 
services  that  we  don’t 
know  about  today  ” 

-DAVID  KENT,  GENZYME 


Photo  by  Jason  Grow 


June  2009  www.csoonline.com  19 


he  pickings  are  slim  in  the  job  market  and  the 
H  *  time  line  of  interviewing  and  then  hiring  new 
people  is  slow.  But  there  are  positions  available 
in  the  security  field,  according  to  three  veteran  security 
recruiters  that  we  spoke  with  recently.  If  you’re  look- 
jJILQRkILs  jng  for  a  change  in  your  career,  or  are  looking  to  get 
back  to  work,  there  is  simply  no  room  for  anything  less  than  the 
best  impression  these  days. 

Hiring  managers  have  plenty  of  candidates  to  choose  from  in 
the  current  economic  climate.  If  you  get  a  call  saying  you’ve  got  a 
job  interview,  every  move  counts.  How  can  you  have  an  edge  over 
other  candidates  angling  for  the  same  position?  Our  experts  weigh 
in  on  important  steps  to  take  in  order  to  excel  when  you  get  your 
chance  to  wow  a  possible  new  employer. 

BEFORE  THE  MEETING 

Do  make  sure  your  resume  is  perfect.  “I  see  a  lot  of  resumes  from 


The  tight  job  market 
makes  the  interview  more 

high  stakes  than  ever.  We 
asked  seasoned  security 
recruiters  for  reminders 
on  how  to  stand  out  from 
the  pack.  By  Joan  Goodchild 

people  who  are  really  bright,  but  their  resume  is  very  vanilla,”  says 
Tracy  Lenzner,  CEO  of  the  LenznerGroup,  an  executive  recruit¬ 
ment  company  in  New  York.  “Other  resumes  have  too  much  con¬ 
tent  and  are  too  long  to  read.” 

Lenzner  recommends  polishing  your  resume  before  you  even 
begin  your  next  job  search.  A  recruiter  can  assist  with  finding  the 
appropriate  length,  as  well  as  which  accomplishments  and  experi¬ 
ences  to  highlight.  In  this  competitive  job  market,  it  may  even  be 


30  www.csoonline.com  June  2009 


Illustration  by  Veer 


necessary  to  tailor  your  resume  for  each  job  application. 

“You  can’t  underestimate  the  criticalness  of  a  resume,”  she  says. 
“Without  a  standout  resume  or  a  good  contact  to  get  you  an  inter¬ 
view,  you  really  never  get  to  square  one.” 

Do  research  the  company.  “The  more  prep  work  you  can  do, 
the  better,”  says  Peter  Metzger,  a  vice  chairman  of  CTPartners, 
an  executive  search  firm  in  New  York.  “It  should  include  not 
only  open-sources  research  but  third-party  referencing.  Always 
assume  you  don’t  have  enough  information  going  in.” 

Metzger  recommends  doing  a  SWOT  analysis  (strengths, 
weaknesses,  opportunities  and  threats)  for  any  potential  new 
business  you  may  hope  to  become  involved  in  as  an  employee. 
Additionally,  having  a  firm  grasp  of  the  company  and  its  history 
will  probably  impress  your  interviewer. 

Don’t  forget  to  prepare.  As  a  job  applicant,  you  have  to  engage 
in  a  bit  of  social  engineering,  says  Lee  J.  Kushner,  founder  and 
CEO  of  L.  J.  Kushner  and  Associates  in  New  Jersey.  “Find  out  what 
the  pain  points  have  been  in  an  organization  so  you  can  go  into 
an  interview  and  show  that  you  understand  their  problems.  That 
level  of  preparation  will  make  a  lasting  impression  on  the  other 
side  of  the  desk.” 

Kushner  says  another  thing  to  understand  before  heading 
into  an  interview  is  what  the  company  culture  is  like.  Will  you  be 
a  good  match?  How  do  they  dress?  Is  it  a  casual  workplace  or  a 
button-up,  tie-wearing  place? 

Do  practice  answering  tough  questions  in  advance.  There  are 
inevitable  questions  in  every  interview  that  people  dread,  says 
Lenzner.  In  a  recent  workshop,  she  asked  attendees  which  one 
they  hated  most.  Their  answer:  Tell  me  a  little  bit  about  yourself. 

“It  usually  gets  asked  in  the  beginning  of  a  meeting,”  she  says. 
“You  want  to  sound  effective  right  off  the  bat.  The  interviewer 
already  knows  a  little  about  you,  but  they  want  to  get  a  better  idea 
of  who  you  are.” 

Those  first  few  lines  are  crucial.  It  is  like  the  opening  of  a  book, 
says  Lenzner.  You  will  decide  right  then:  Do  I  want  to  read  this? 

Instead  of  fishing  in  your  brain  during  the  interview,  take  time 
to  proactively  write  it  out  ahead  of  time  so  you  have  a  few  lines 
you  can  use  to  succinctly  tell  some  one  about  yourself.  You  want 
them  to  know:  Who  are  you?  Think:  What  do  I  want  someone  to 
know  about  me? 

Other  tough  questions  to  consider  practicing  in  advance 
include:  “Tell  me  about  your  current  role”  and  “What  are  your 
weaknesses?” 


AT  THE  INTERVIEW 

Don’t  overemphasize  your  “cops  and  robbers’’  background.  Expe¬ 
rience  in  law  enforcement  or  the  military  can  provide  many  useful 
skills.  But  focusing  on  it  too  much  can  put  off  a  potential  employer, 
according  to  Metzger. 

“Often  times,  people  who  have  been  in  armed  security  work, 
such  as  with  the  FBI  or  the  Marine  Corps,  tend  to  overempha¬ 
size  that,”  he  says.  “But  that  experience  is  assumed.  The  gaining 
employer  will  assume  you  have  those  kinds  of  credentials.  They 
don’t  care  how  many  shooting  badges  you’ve  got;  that’s  not  of 
importance.” 

Don’t  talk  about  all  the  armed  things  you’ve  done.  You  want 


CAREER 


[2009  1 

STATE 

CSO 


to  present  yourself  as  an  executive,  not  a  knuckle-dragger  who  is 
trying  to  be  an  executive,  says  Metzger. 

Do  show  them  you  are  an  executive  who  understands  secu¬ 
rity.  “You  are  constantly  selling  your  service,”  says  Metzger.  “You 
are  going  from  business  unit  to  business  unit  and  trying  to  sell 
them  why  certain  things  need  to  be  done.  Being  able  to  articulate 
that  you  can  do  this  is  very  important.” 

Another  pointer  for  striking  the  right  tone:  Listen  a  lot  more 
than  you  talk,  says  Metzger. 

“And  there  is  no  prize  for  speedy  answers,”  he  says.  “It’s  not 
like  a  quiz  in  third  grade.  You  can  sit  and  think  for  a  moment  and 
formulate  a  response.” 

Don’t  get  caught  up  in  past  accomplishments.  Most  people 
don’t  know  how  to  position  themselves  when  competing  for  a  job, 
says  Lenzner. 

“In  addition  to  being  an  expert  in  your  field,  you  have  to  be  an 
expert  in  the  world  of  your  career,”  she  says.  “People  in  the  security 
industry  tend  to  try  and  educate  the  gatekeeper— the  recruiter— as 
to  how  wonderful  they  are  and  they  shoot  themselves  in  the  foot. 
Sometimes  less  is  more.” 

Kushner  agrees. 

“People  get  caught  up  in  interviews  with  what  they  have  done. 
They  fail  to  apply  it  to  what  they  will  be  expected  to  do  in  their 
new  role.” 

Do  provide  examples  of  how  you  would  solve  problems.  Job¬ 
seekers  should  relate  their  skills  to  the  environment  for  which 
they  are  interviewing,  according  to  Kushner. 

“It’s  not  just  enough  to  say,  ‘I  can  help  solve  your  problems.’ 
Employers  want  someone  who  already  has  solved  the  problem 
in  their  head.  You  might  never  have  been  a  CISO  at  a  healthcare 
organization,  but  can  you  reflect  that  you  have  experience  solv¬ 
ing  the  kinds  of  problems  that  the  healthcare  organization  is  deal¬ 
ing  with?  That  is  what  you  have  to  do  in  an  interview.  You  want 
the  person  on  the  other  side  of  the  desk  to  know  you  can  hit  the 
ground  running.” 

AFTER  THE  INTERVIEW 

Don’t  forget  to  follow  up.  Phone  calls  aren’t  great,  according  to 
Metzger.  E-mails  are  OK,  but  written  letters  are  best,  he  says.  “A 
written  letter  demands  some  kind  of  response,”  says  Metzger. 

Take  the  time  to  craft  a  thoughtful  thank-you  note  to  your 
interviewer. 

Do  strike  the  appropriate  tone  in  your  follow-up.  It  goes  with¬ 
out  saying  the  job  market  is  tight  right  now.  Many  companies  are 
interviewing  candidates  and  delaying  the  hire  until  they  can  better 
afford  it,  says  Metzger. 

That  said,  you  want  to  follow  up  and  let  them  know  you  remain 
interested,  but  don’t  be  too  aggressive  in  your  approach. 

“Most  people  who  are  in  security  are  in  security  because  they 
are  aggressive,”  says  Metzger.  “But  you  don’t  want  to  be  a  pressure 
person.  You  want  to  be  appropriate  in  your  follow-up.  Tell  them:  ‘I 
understand  your  decision  to  delay.  I  remain  interested  and  will  for 
the  next  six  months.’  Make  yourself  sympathetic  to  their  situation. 
You  don’t  want  to  abrasive  on  these  things.”  ■ 


Reach  Senior  Editor  Joan  Goodchild  at  jgoodchild@cxo.com. 


June  2009  www.csoonline.com  31 


[  undercover] 

By  Anonymous 


A  Case  of  Help  Desk  Failure 

How  a  lack  of  coordination  between  departments  at  a  large  bank 
opened  up  a  big  security  hole,  and  what  we  did  about  it 


As  the  engagement  leader 
on  security  assessment 
projects  for  our  clients,  I 
frequently  run  into  what 
I  call  the  “IT  Myopathy 

Syndrome.” 

Quite  a  few  well-meaning  and  high- 
placed  individuals  worry  about  protecting 
their  IT  assets  and  forget  a  basic  principal: 
In  “Capture  the  Flag,”  if  you  capture  the 
flag,  the  game  is  over. 

Here’s  an  example  of  one  such  case. 

On  a  recent  jaunt  to  a  client— a  large 
national  bank— my  team  and  I  were  received 
warmly.  After  the  mutual  introductions 
were  concluded  and  before  the  ceremonial 
taking  off  of  the  jackets,  we  were  shown  to 
a  conference  room  where  our  team  was  to 
be  based  during  the  first  phase  of  our  four- 
week  project. 

Once  we  sat  down,  plugged  in  our  com¬ 
puters  (to  check  e-mail,  of  course)  and 
started  feeling  a  bit  more  comfortable,  the 
director  of  IT  security  walked  into  the  room 
and  started  a  conversation  with  us. 

Since  the  accounting  group  was  our 
“sponsor”  and  our  scope  was  allegedly  not 
discussed  with  him,  he  wanted  to  know 
what  we  were  planning  to  do,  in  what  order, 
when  and  how. 

A  few  minutes  later  he  blurted  out:  “I 
don’t  know  why  you  are  here  at  all.  We  got 
everything  under  control.  We  got  firewalls, 
we  do  penetration  testing.  No  vulnerabili¬ 
ties  to  find.” 

“Oh  no!”  I  thought,  “Another  engage¬ 
ment  full  of  political  battles  between  the 
sponsors  and  other  principals.  We  best  stay 
out  of  it.” 

Continuing  the  conversation,  I  stated 
that  per  our  scope,  we  have  to  go  through 
a  checklist  of  controls,  verify  their  exis¬ 


tence,  test  their  validity  and  measure  com¬ 
pliance.  One  of  the  first  controls  we  had 
to  deal  with,  I  explained,  is  information 
security  awareness. 

The  IT  security  director  answered:  “We 
are  100-percent  covered.  We  make  all  new 
employees  read  a  brochure  and  sign  a  state¬ 
ment  acknowledging  reading  it  and  of  the 
possible  consequences  of  not  complying 
with  the  rules.”  “Great,”  I  said,  “let’s  test 
this,  OK?” 

After  a  few  seconds  of  hesitation,  he 
agreed.  We  went  into  the  next  conference 
room,  just  the  two  of  us  and  I  asked  to 
use  the  desk  phone,  which  he  graciously 
allowed. 


I  dialed  the  number  for  the  IT  help  desk, 
which  was  found  on  a  large  label  pasted  on 
the  phone. 

The  following  is  a  transcript,  from 
memory,  of  the  conversation  that  followed 
(names  have  been  changed  to  protect  the 
“guilty”). 

Help  desk:  “Good  morning,  Large  Bank 
Help  Desk,  how  may  I  help  you?” 

Me:  “Ahh,  yes.  This  is  Joe  from  IT,  my 
password  isn’t  working.” 

Help  desk:  “Oh?  Did  you  check  to  see  if 
the  CAPS  LOCK  key  is  on?” 

(Good  first  step,  I  think,  shows  either 
knowledge  or  a  clean  flow  chart.) 

Me:  “Yes.  It  just  won’t  work.  Can  you 


32  www.csoonline.com  June  2009 


Illustration  by  Jason  Schneider/Veer 


The  IT  security  director  answered:  “I  don’t 
know  why  you  are  here  at  all.  We  got 

everything  under  control;  we  got  firewalls, 
we  do  penetration  testing;  no  vulnerabilities 
to  find.  We  make  all  new  employees  read  a 
brochure  and  sign  a  statement.”  “Great,”  I 
said,  “let’s  test  this,  OK?” 


reset  it  for  me?” 

Help  desk:  “Sure,  but  let  me  verify  who 
you  are  first,  OK?” 

(Great,  I  think,  they  appear  to  know 
what  they  are  doing  so  far.) 

Me:  “Sure,  what  do  you  need?” 

Help  desk:  “Well,  your  full  name.” 

Me:  “Joseph  P.  Itdirector” 

Help  desk:  “Your  employee  number?” 

Me:  “123412345-” 

(The  number  was  printed  in  bold  letters 
on  Joe’s  badge.) 

Help  desk:  “Your  extension?” 

(Good,  I’m  thinking,  it  is  NOT  printed 
on  the  badge,  but  let’s  try  a  bit  of  social 
engineering.) 

Me:  “Oh,  my  base  is  in  New  York,  but 
right  now  I  am  at  extension  223,”  (the  exten¬ 
sion  number  from  the  station  at  which  I 
was  calling). 

Help  desk:  “No  problem,  we  just  ask  it 
to  call  back  to  see  if  your  new  password  is 
working  after  we  reset  it.” 

(Uh-oh,  I  think,  BIG  PROBLEM!) 

Help  desk:  “OK,  I  reset  it  to  be 
“PASSWORDi”— all  in  caps.” 

Me:  “Thank  you  very  much.”  Then  I 
hung  up. 

I  turned  to  Joe  and  said,  “Joe,  your  new 
password  is  “PASSWORDi.” 

Joe  nodded  his  head.  “See?”  he  said 
triumphantly,  “They  asked  all  the  right 
questions!” 

“They  sure  did.”  I  agreed.  “The  prob¬ 
lem  is  that  the  only  two  pieces  of  informa¬ 
tion  they  asked  for  were  your  name  and 
employee  number.  Both  of  those  pieces  of 
information  are  found  on  your  badge.  Does 
no  one  ever  lose  a  badge,  which  contains 
your  bank’s  name  on  it,  around  here?” 

This  happened  with  the  IT  Help 
Desk  people,  who  should  be  some  of  the 
most  trained  IT  people  in  the  company, 
and  this  happened  to  the  IT  security 
director’s  account. 

“But,”  Joe  said,  “You  are  here  to  do  an  IT 
audit.  This  is  social  engineering  that  you 
just  did!” 

“Not  exactly,”  I  said.  “We  are  here  to  do  a 
security  assessment  of  IT  controls,  and  two 
of  the  controls  we  have  to  check  are  aware¬ 
ness  and  training.  This  showed  us  that  some 
people  are  not  as  aware  as  they  should  be 
and  maybe  more  training  is  needed.” 

“Well,”  Joe  said  somewhat  defensively,  “I 
am  not  the  one  printing  the  badges.  This  is 


not  an  IT  problem!” 

I  agree.  This  is  not  an  IT  problem 
only.  This  is  a  problem  for  the  entire 
organization. 

If  security  professionals  today  do  not  see 
the  connection  between  a  physical  access 
badge  and  the  security  of  their  information 
systems,  we  have  a  big  problem. 

“We  are  not  here  to  cast  blame,”  I  said. 
“We  are  simply  looking  to  see  which  con¬ 
trols  need  improvement,  and  I  think  that 
the  process  to  verify  users  can  be  improved, 
don’t  you?” 

In  Joe’s  case,  the  opportunity  to  improve 
was  noted  and  later  acted  upon  by  the 
enterprise. 

A  complete  new  process  involving  IT 
security  assistance  was  introduced  to  the 
help  desk,  and  refresher  courses  are  now 
an  annual  mandate. 

A  similar  problem  exists  in  IT  people 
saying,  “Well,  access  control  is  not  my 
problem.” 

They  may  be  following  organizational 
guidelines,  but  not  organizational  best 
ideas.  An  example  can  be  seen  in  the  CISSP 
exam’s  required  body  of  knowledge. 

The  10  principals  of  a  basic  CISSP  are: 

1.  Access  control; 

2.  Application  security; 

3.  Business  continuity  and  disas¬ 
ter  recovery  planning; 

4.  Cryptography; 

5.  Information  security  and 

risk  management; 

6.  Legal,  regulations,  compli¬ 
ance  and  investigations; 

7.  Operations  security; 

8.  Physical  (environmental)  security; 

9.  Security  architecture  and  design; 

10.  Telecommunications  and 

network  security. 

Notice  that  item  three  is  not  “data  center 
continuity,”  and  that  item  eight  is  not  “fire¬ 
wall  security.”  What  good  would  100-per¬ 


cent  recovery  of  our  entire  computer  and 
information  be  if  we  had  no  place  to  recover 
it  to? 

What  good  will  a  great  backup  program 
do  if  the  employees  (i.e.  users)  are  not  there 
to  access  it? 

Similarly,  what  good  is  a  firewall  if 
by  passing  by  one  door  or  bypassing  one 
receptionist,  a  person  with  bad  intent  has 
reached  the  keyboard?  Has  loaded  the 
server  on  a  truck?  How  is  that  “protecting 
the  information?” 

For  our  profession  to  continue  existing, 
we  must  evolve. 

Caring  about  firewalls  and  antivirus,  for 
example,  is  an  analyst’s  responsibility,  and 
in  a  large  company,  it’s  a  manager’s  respon¬ 
sibility.  To  earn  the  “C”  or  the  “O”  and  to 
continue  to  enjoy  a  seat  at  the  table,  infor¬ 
mation  security  professionals  must  become 
business  people. 

In  many  companies  today,  and  perhaps 
not  in  small  part  due  to  the  global  recession, 
we  see  the  security  function  being  pushed 
down  in  the  enterprise. 

From  a  vice-president  level  to  a  director; 
from  a  director,  to  a  manager.  This  trend 
reflects  business  realities. 

We  must  metamorphose  and  trade  our 
traditional  IT  focus  and  lingo  into  organi¬ 
zational  (read:  business)  vision. 

Business  does  not  “care”  about  IT.  Busi¬ 
ness  cares  about  risk  and  opportunity. 

Similar  to  how  CIOs  do  not  want  to 
be  seen  as  a  utility  (they  would  rather  be 
seen  as  a  strategic  asset),  security  profes¬ 
sionals  ought  to  want  to  be  seen  as  risk 
mitigators. 

To  ensure  our  survival  and  justify  our 
salaries,  we  should  look  at  organizational 
processes  and  not  focus  on  IT  functions.  ■ 


The  author  is  a  former  CISO,  director  of  strate¬ 
gic  consulting  for  a  security  vendor  and  a  gov¬ 
ernment  security  operative. 


June  2009  www.csoonline.com  33 


[  FORRESTER  VIEW] 

By  Bill  Nagel 


Password  Seeks  Partner  for  Long- 
Term  Secure  Relationship 

Key  trends  in  strong  authentication 


Passwords  have  been  standing 
guard  over  our  computer  user 
accounts  seemingly  forever;  for 
a  long  while,  and  for  most  pur¬ 
poses,  they  could  go  it  alone. 
But  it’s  no  secret  that  passwords  are  no 
longer  sufficient  as  the  sole  means  of  grant¬ 
ing  access  to  critical  networks,  applications 
and  data— particularly  as  the  number  of 
applications  requiring  passwords  at  any 
given  firm  has  skyrocketed.  Passwords 
might  be  too  weak  or  not  changed  regularly 
enough,  users  may  write  them  down  in  a 
publicly  accessible  (read:  not  very  secure) 
place  or  they’re  not  long  enough,  complex 
enough,  changed  regularly  and  thus  impos¬ 
sible  to  remember. 

Organizations  have  been  enacting  more 
stringent  measures  to  protect  corporate  and 
customer  data  from  external  and  internal 
threats,  comply  with  regulations  and  man¬ 
age  information  risks.  One  result  is  that 
enterprise  security  strategies  have  focused 
more  sharply  on  managing  user  identities, 
access  rights  and  entitlements,  driving  a 
broader  movement  toward  identity  and 
access  management  (IAM).  One  of  the  first 
things  firms  recognize  is  that  single-factor 
authentication  (passwords  alone)  is  a  weak 
link  in  the  security  chain. 

Firms  looking  to  improve  their  IAM 
posture  and  clear  the  way  to  implement 
processes  and  technologies,  like  account 
and  credential  provisioning  and  lifecycle 
management,  authorization  and  entitle¬ 
ment  management,  single  sign-on  (SSO), 
privileged  user  management  and  fed¬ 
eration,  look  to  strong  authentication  as  a 
starting  point. 

If  IAM  is  analogous  to  allowing  only 
those  people  you  trust  to  enter  your  house, 
then  strong  authentication  is  the  first  step  in 


The  main  question 
driving  the  strong 
authentication 
marketplace  today 
is  not  security,  it’s 
usability.  Users 
don’t  like  complexity, 
and  they  don’t  like  to 
do  something  extra 
that  affects  tneir 
productivity. 

the  process— putting  a  lock  on  your  door. 

Deciding  on  a  strong  authentication 
solution  is  basically  determining  what  com¬ 
bination  of  locks  and  keys  will  work  best  in 
a  particular  environment.  But  this  is  far 


from  a  trivial  exercise:  Dozens  of  distinct 
types  of  second-factor  credentials— such 
as  tokens,  smart  cards  and  biometrics— dot 
today’s  marketplace;  most  of  them  provide 
a  similar  level  of  security. 

But  the  main  question  driving  the  strong 
authentication  marketplace  today  is  not 
security,  it’s  usability.  Users  don’t  like  com¬ 
plexity  and  they  don’t  like  to  do  something 
extra  that  affects  their  productivity.  Com¬ 
panies  mandating  strong  authentication 
found  that  employees  would  circumvent 
this  burden  whenever  and  however  pos¬ 
sible  (like  sharing  credentials).  This  poses 
a  problem  for  vendors  and  buyers  alike: 
What  will  end  users  actually  use? 

With  that  in  mind,  here  are  three  of  the 
trends  in  the  strong  authentication  market. 

A  broader  range  of  authentication 
options.  Different  users  have  different 
needs,  depending  on  whether  they’re  inside 
or  outside  the  company  network  and/or 
its  physical  premises  and  what  kinds  of 
sensitive  information  they’re  allowed  to 
access.  Mobile,  IT- savvy  users  needing  to 
access  IT  resources  via  remote  VPN  have 
different  demands,  desires  and  capabili¬ 
ties  than  office-bound  administrative  staff, 
for  example.  And  buyers  want  a  one-stop 
shop  where  they  can  get  everything  they 
need  for  all  of  their  users,  including  a  cre¬ 
dential  management  back  end  that  handles 
multiple  credential  types  seamlessly. 

Multipurpose,  easy-to-use  creden¬ 
tials.  Hardware  tokens  and  other  physi¬ 
cal  credentials  can  be  unwieldy  to  carry 
and  use,  but  it  really  becomes  annoying 
when  you’re  carrying  several  of  them— it’s 
the  “token  necklace”  problem.  Employ¬ 
ers  have  the  luxury  of  mandating  that 
employees  use  a  certain  token  but  have  less 
authority  to  extend  such  mandates  to 


34  www.csoonline.com  June  2009 


business  partners. 

Multipurpose  credentials  have  clear 
benefits,  even  if  those  purposes  are  all 
internal  to  the  company— for  example, 
using  the  same  card  for  building  access 
and  network  access.  And  any  form  factor 
that  holds  credentials  that  people  can  use 
in  multiple  contexts  (think  work,  bank, 
eBay,  etc.)  will  gain  acceptance  more  eas¬ 
ily.  Small  wonder,  then,  that  smart  cards 
and  USB  smart-card  tokens  are  the  form 
factors  offered  by  the  largest  number  of 
vendors. 

Collaboration  on  authentica¬ 
tion  standards.  Several  vendors  have 
joined  the  effort  to  develop  and  improve 
open-authentication  standards  like  OATH. 
This  will  make  it  easier  for  customers  to 
pick  and  choose  the  form  factors  (even 
from  different  vendors)  that  make  the  most 
sense  for  the  various  types  of  users  among 
their  employee  population  in  terms  of 
security,  usability  and  cost.  It’s  also  an 
important  step  on  the  path  to  broad-based 
availability  of  strong  authentication  for 
consumers. 

What  It  Means 

The  strong  authentication  market  is  matur¬ 
ing  and  expanding:  Technological  innova¬ 
tion  is  no  longer  the  chief  driver.  Biometrics, 
mobile  authentication  and  PKI  solutions 
are  still  at  the  technological  forefront,  but 
their  bleeding-edge  status  is  long  gone. 
The  industry  used  to  sell  and  differentiate 
itself  on  technological  innovation,  but  it 
now  reflects  the  broader  trends  in  the  IT 
and  IT  security  marketplaces:  a  few  major 
vendors  dominate  the  landscape  and  fill  out 
their  portfolios  via  acquisition  just  as  often 
as  through  organic  growth.  This  is  largely 
due  to: 

The  reality  of  having  to  serve 
the  masses.  Strong  authentica¬ 
tion  has  moved  well  past  the  early- 
adopter  phase.  It’s  no  longer  characterized 
by  techies  bragging  about  the  length  of 
their  private  key,  it’s  a  straightforward 
and  increasingly  transparent  tool  that’s 
necessary  for  thriving  in  today’s  IT  security 
environment.  Buyers  want  an  offering  from 
a  stable,  diversified  vendor  whose  solu¬ 
tions  play  nice  with  their  existing  IT  infra¬ 
structure  and  which  can  bring  a  wealth  of 
business  perspective,  professional  services 
and  quality  support  to  the  table. 


Divergent  needs  of  the  user 
community.  “Usable”  means  dif¬ 
ferent  things  to  different  people. 
As  such,  the  market  is  not  going  to  settle  on 
any  one  form  factor  anytime  soon.  Quite  the 
opposite:  Many  of  the  major  vendors  are 
adjusting  their  form  factor  and  management 
system  offerings  to  deal  with  the  reality  that 
different  user  populations,  even  within  a 
single  firm,  might  be  better  served  by  using 
different  physical  forms  of  credentials. 

Broader  trends  in  the  I  AM  mar¬ 
ket.  Companies  are  struggling 
to  comply  with  regulations,  save 
costs  and  improve  their  administrative  effi¬ 
ciency,  but  don’t  yet  have  a  strategic  vision 
of  how  IAM  can  help  improve  business 
processes.  Consolidation— bringing  more 
IAM  components  under  the  aegis  of  a  sin¬ 
gle  vendor  with  a  breadth  of  experience  and 
expertise— is  one  way  to  dispel  the  notion  of 


IAM  as  a  disjointed  set  of  technologies  serv¬ 
ing  primarily  tactical  ends,  and  the  strong 
authentication  market  is  mirroring  that. 

There  is  technological  innovation  hap¬ 
pening  in  the  strong  authentication  space, 
but  it’s  concentrated  among  smaller  com¬ 
panies  that  can  get  CIOs  excited  about 
being  on  the  cutting  edge  of  technology. 
Many  of  these  vendors  fill  gaps  in  the  major 
players’  product  lines  and  will  eventually 
be  acquired  by  one  of  them  as  the  con¬ 
solidation  frenzy  continues.  Others  will 
disappear,  either  into  their  own  niche  or 
altogether. 

But  for  now,  most  enterprise  buyers 
will  stick  with  the  few  remaining  settled 
vendors,  even  as  the  market  swells  with 
small  vendors  looking  for  their  piece  of  the 
authentication  pie.  ■ 


Bill  Nagel  is  a  researcher  at  Forrester  Research. 


Illustration  by  Jane  Sterrett/Veer 


June  2009  www.csoonline.conn  3S 


[  debriefing] 


NISST  Guide  to  Application 
of  Security  Humor 


Nati  Inst.  Sec.  Stand.  Tech  Stu> 

Pub],  800-12345  470  ' Spea 

Table  of  Contents 

Exec-  Summary .... 

1  introduction  . ES-1 

“ecu,ityH„,„rMM>1.fc . . 

»  A«bryOMo%jc!|,  — . . 

Appendix  A- in. t  1  . 3.1 

nstantiation  (“Jokes”)  ,  , 

. . . 

Executive  Summary 

information  seoirity'profe11^  matter'  Many 

iaufh  only  at  end  uslr  Jl  m,s  in  Particular 

andguidancemustbepr0S°SeCi<iCati0nS 


36  www.csoonline.com  lune  2009 


Photo  by  iStockphoto.com 


(3  https://www.overstock.com/checkout 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 


Identified  by  VeriSign 


Get  visible  site  security  from  the  company  your  customers  trust. 

It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


s  2008  VeriSign,  Inc.  All  rights  reserved.  VeriSign.  the  VeriSign  logo,  the  Checkmark  Circle  logo.  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign.  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners 


CA  Security  Management  software  streamlines  your  IT  security  environment  so  your  business 
can  be  more  secure,  agile  and  compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT.  That's  the  power  of  lean. 

Learn  more  at  ca.com/security/value 


sq 

AWARDS 

WINNER  Magazine  Reader  Trust  Award  for 
Honored  in  the  U.S.  Best  Identity  Management  Solution 


Software 


Copyright  ©  2009  CA.  All  rights  reserved. 


